[hackthebox]Postman

Things I have learned

  1. How to check Redis’ vulnerability by using redis-cli.
  2. Detail enumeration with nmap, my first attempt of scanning I did not discover the redis port.
  3. How to enumerate with redis-cli.

NMAP enumeration

nmap -sC -sV -p- -oN postman 10.10.10.160 -vvv
-p- this is a shorthand of -p 1-65535 so this option scans all ports.
post1

From the enumeration results they are these ports of interest tcp/80, tcp/6379 and tcp/10000.

Web page

I am looking at the http://10.10.10.160 to see what is interesting, however this is a static web page, whenever it is a webpage it is always good to do web fuzzing with dirb, dirbuster or gobuster.
gobuster dir -u http://10.10.10.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_result

Browsing the Webmin login page

TCP/10000 is the webmin login page, but the page has an error as it does not have a re-direction.
post2, at first I added a host entry in my /etc/hosts but this is not necessary, just change to https://10.10.10.160:10000 which presents a login page.
I am trying some easy sql injection test and see if webmin will throw up any sql error with '# and ' or 1=1# in username field.
But the webmin login page was not reacting to simple sql injection test.
post4.
Searching the web I notice webmin 1.9.1 has an “Package updates” remote execution exploit, however to use this I need to get the username and password that can do package update because I have not obtained any credentials yet so I will be coming back to this later.

Exploiting redis 4.0.9 to gain ssh connection

This is a good read on how to exploit redis with redis-cli.

My kali linux did not have the redis-cli so I downloaded it with apt install redis-tools.

The first is to check if I can execute some commands like config get dir or config get *, to connect to Postman use this redis-cli -h 10.10.10.160 or I can execute the command together like this redis-cli -h 10.10.10.160 config get dir, this config get dir gets the current home directory of the connected user (which is redis).

post5

Since I can execute the command without authentication, I can change the current working directory and also to save the dbfilename like this:
post6

I can generate my own rsa key pair and submit the public key over to Postman through redis-cli without authentication, these are the steps:

ssh-keygen -t rsa -f /root/htb/postman/id_rsa where /root/htb/postman/id_rsa is the path I want to save the key pairs.

post7

Insert two newline on both the heading and trailing of the id_rsa.pub like this (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n") | tee payload.txt

this payload.txt will be piped to the redis-cli to submit to the Postman.
post8

cat payload.txt | redis-cli -h 10.10.10.160 -x set redis_rsa
post9

Try to establish ssh as redis user to Postman, before ssh do chmod 600 to the rsa pub key like this chmod 600 id_rsa.pub, then connect with private key like this ssh -i id_rsa redis@10.10.10.160.
post10

After a ssh connection is gained, I changed directory to /home and when I listed the directory a directory – Matt – was discovered. The user.txt file was owned by Matt and only user with Matt group can view the file.
post11.

As expected redis is not in Matt group.

Escalate to Matt user

Find Matt user’s related file with the find command, by doing this find / -type f -user Matt 2>/dev/null
This command line means to find all files related to Matt user, and hides all error messages by 2>/dev/null.
post13

There is a key in /opt/id_rsa.bak checking the permission reveals that others can also view the file.
post14

So I get the contents of the rsa key and pasted it in my own kali linux machine, in HTB whenever you see there is a rsa key get its content and use ssh2john to convert to hash, then use john to crack the password.
post15

post16

I usually use rockyou.txt as wordlist to brute force the rsa key passphrase, john --wordlist=/usr/share/wordlists/rockyou.txt hash.
post17

The passphrase discovered cannot be used to login directly through ssh with Matt as user.
post18

This is because Matt is denied to logon as ssh.
post19

But…changing to Matt with su - Matt with the discovered password is ok…
post20

post21

Privilege escalate to root

With Matt’s credential I tried to see if I can use it to logon to webmin
post22

Well Matt has rights to update packages…this makes this exploit very usable…
post23

In my exploitdb the exploit for webmin 1.9.1 Package update remote code execution is available…
post24

Searching the exploit in metasploit I found that the exploit is readily available.
post25

I modified a few parameters in the exploit as below:
post26

The run the exploit and escalated to root.
post27

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s