[hackthebox]Postman

Things I have learned

How to check Redis’ vulnerability by using redis-cli.
Detail enumeration with nmap, my first attempt of scanning I did not discover the redis port.
How to enumerate with redis-cli.

NMAP enumeration

nmap -sC -sV -p- -oN postman 10.10.10.160 -vvv
-p- this is a shorthand of -p 1-65535 so this option scans all ports.
post1

From the enumeration results they are these ports of interest tcp/80, tcp/6379 and tcp/10000.

Web page

I am looking at the http://10.10.10.160 to see what is interesting, however this is a static web page, whenever it is a webpage it is always good to do web fuzzing with dirb, dirbuster or gobuster.
gobuster dir -u http://10.10.10.160 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_result

Browsing the Webmin login page

TCP/10000 is the webmin login page, but the page has an error as it does not have a re-direction.
post2 , at first I added a host entry in my /etc/hosts but this is not necessary, just change to https://10.10.10.160:10000 which presents a login page.
I am trying some easy sql injection test and see if webmin will throw up any sql error with '# and ' or 1=1# in username field.
But the webmin login page was not reacting to simple sql injection test.
post4 .
Searching the web I notice webmin 1.9.1 has an “Package updates” remote execution exploit, however to use this I need to get the username and password that can do package update because I have not obtained any credentials yet so I will be coming back to this later.

Exploiting redis 4.0.9 to gain ssh connection

This is a good read on how to exploit redis with redis-cli.

My kali linux did not have the redis-cli so I downloaded it with apt install redis-tools.

The first is to check if I can execute some commands like config get dir or config get *, to connect to Postman use this redis-cli -h 10.10.10.160 or I can execute the command together like this redis-cli -h 10.10.10.160 config get dir, this config get dir gets the current home directory of the connected user (which is redis).

post5

Since I can execute the command without authentication, I can change the current working directory and also to save the dbfilename like this:
post6

I can generate my own rsa key pair and submit the public key over to Postman through redis-cli without authentication, these are the steps:

ssh-keygen -t rsa -f /root/htb/postman/id_rsa where /root/htb/postman/id_rsa is the path I want to save the key pairs.

post7

Insert two newline on both the heading and trailing of the id_rsa.pub like this (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n") | tee payload.txt

this payload.txt will be piped to the redis-cli to submit to the Postman.
post8

cat payload.txt | redis-cli -h 10.10.10.160 -x set redis_rsa
post9

Try to establish ssh as redis user to Postman, before ssh do chmod 600 to the rsa pub key like this chmod 600 id_rsa.pub, then connect with private key like this ssh -i id_rsa redis@10.10.10.160.
post10

After a ssh connection is gained, I changed directory to /home and when I listed the directory a directory – Matt – was discovered. The user.txt file was owned by Matt and only user with Matt group can view the file.
post11 .

As expected redis is not in Matt group.

Escalate to Matt user

Find Matt user’s related file with the find command, by doing this find / -type f -user Matt 2>/dev/null
This command line means to find all files related to Matt user, and hides all error messages by 2>/dev/null.
post13

There is a key in /opt/id_rsa.bak checking the permission reveals that others can also view the file.
post14

So I get the contents of the rsa key and pasted it in my own kali linux machine, in HTB whenever you see there is a rsa key get its content and use ssh2john to convert to hash, then use john to crack the password.
post15