Machine IP: 10.10.10.160
DATE : 9/11/2019
START TIME: 2:47 PM
This was a pretty good box. I had to perform full port scan on this box which took more time then total exploiting does.
In this I used a know redis vulnerability to get a shell as
redis user and then exploited
webmin to get root shell and flag.
Let’s start our enumeration with HTTP services.
On port 80 I found a very simple website running
The website didn’t had anything else. Also gobuster didn’t found any suspicious directory. So I decided to look at port
10000 which was running a
I used searchsploit to find the exploits. There were few but none of them seemed to work. Then I realized I’ve missed a full port scan. so then I decided to run nmap again but with
-p-(took sometime) but then I found another port opened.
We can see that there is a redis server running on port
I googled for exploits related to redis and found Redis-Remote-Command-Execution. I followed the instruction mentioned in the post and I was able to get a ssh connection using
I tried to read the user.txt but I wasn’t allowed to do so. I kept looking around and found
ssh private key for user
But when I tried to login with that key I was asked for
I tried to crack the password with
> ssh2john keyz > hash.txt > john hash.txt
I tried to ssh with that passphrase but kept getting
Since I was not able to directly SSH as
matt I decided to do
su matt and it worked.
I tried to enumerate using enumeration script but couldn’t find anything. Then I realized there was
webmin on port 10000 and we found lot of exploit for it. So I decided to try
linux/http/webmin_packageup_rce from metasploit with the following options
This gave me shell as
root. And this actually worked because this time I had
Thanks for reading, Feedback is always appreciated.