Hack The Box – Postman

Run Nmap

Shows a few ports we can play with including http so lets dirb it.

Dirb the website

Its interesting, the js scripts might have an exec we can use but not sure. Lets run a full nmap to see what info we can get on OS and versions.

Full nmap

The verbose nmap shows some extra info including; OpenSSH, Apache httpd 2.4.29, MiniServ 1.910 (Webmin httpd) and ubuntu.

Lets google these versions for exploits as it might be easier than manipulating the js, if that’s possible.

The google

Interesting we seem to see 2 exploits that might be useful.

For Webmin (CVE-2019-12840) https://www.rapid7.com/db/modules/exploit/linux/http/webmin_packageup_rce

This is interesting and might be useful if we can get the webmin credentials.

For Apache – https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2019-0211

Interesting as well, might be how we get root but not the door we are looking for.

Webmin enum

So lets checkout webmin first.

Researching webmin vulnerabilities we see https://www.rapid7.com/db/modules/exploit/linux/http/webmin_backdoor could potentially let us change the password. We know the device is linux so the default username is root. Lets see if we can change the password.

Nope. Researching the Apache version also didn’t do much good. When speaking to a friend I am told I am an idiot and lazy with nmap, and I should redo my nmap and not be stooopid. As such I am now redoing nmap with sadness in my heart.

Sure enough we see port 6379 – Redis Key-Value Store 4.0.9. Abit of research shows Redis to be a mix of nosql and caching software that, as it says, acts as a key value store. Guessing our user credentials are stored in it so after installing redis-cli we can connect to the box;

Using HackTricks site we are able to learn about more about redis and how to enumerate it; https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

Using CONFIG GET * we can see the configuration;

10.10.10.160:6379> CONFIG GET *
  1) "dbfilename"
  2) "authorized_keys"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "cluster-announce-ip"
  8) ""
  9) "unixsocket"
 10) ""
 11) "logfile"
 12) "/var/log/redis/redis-server.log"
 13) "pidfile"
 14) "/var/run/redis/redis-server.pid"
 15) "slave-announce-ip"
 16) ""
 17) "maxmemory"
 18) "0"
 19) "proto-max-bulk-len"
 20) "536870912"
 21) "client-query-buffer-limit"
 22) "1073741824"
 23) "maxmemory-samples"
 24) "5"
 25) "lfu-log-factor"
 26) "10"
 27) "lfu-decay-time"
 28) "1"
 29) "timeout"
 30) "0"
 31) "active-defrag-threshold-lower"
 32) "10"
 33) "active-defrag-threshold-upper"
 34) "100"
 35) "active-defrag-ignore-bytes"
 36) "104857600"
 37) "active-defrag-cycle-min"
 38) "25"
 39) "active-defrag-cycle-max"
 40) "75"
 41) "auto-aof-rewrite-percentage"
 42) "100"
 43) "auto-aof-rewrite-min-size"
 44) "67108864"
 45) "hash-max-ziplist-entries"
 46) "512"
 47) "hash-max-ziplist-value"
 48) "64"
 49) "list-max-ziplist-size"
 50) "-2"
 51) "list-compress-depth"
 52) "0"
 53) "set-max-intset-entries"
 54) "512"
 55) "zset-max-ziplist-entries"
 56) "128"
 57) "zset-max-ziplist-value"
 58) "64"
 59) "hll-sparse-max-bytes"
 60) "3000"
 61) "lua-time-limit"
 62) "5000"
 63) "slowlog-log-slower-than"
 64) "10000"
 65) "latency-monitor-threshold"
 66) "0"
 67) "slowlog-max-len"
 68) "128"
 69) "port"
 70) "6379"
 71) "cluster-announce-port"
 72) "0"
 73) "cluster-announce-bus-port"
 74) "0"
 75) "tcp-backlog"
 76) "511"
 77) "databases"
 78) "16"
 79) "repl-ping-slave-period"
 80) "10"
 81) "repl-timeout"
 82) "60"
 83) "repl-backlog-size"
 84) "1048576"
 85) "repl-backlog-ttl"
 86) "3600"
 87) "maxclients"
 88) "10000"
 89) "watchdog-period"
 90) "0"
 91) "slave-priority"
 92) "100"
 93) "slave-announce-port"
 94) "0"
 95) "min-slaves-to-write"
 96) "0"
 97) "min-slaves-max-lag"
 98) "10"
 99) "hz"
100) "10"
101) "cluster-node-timeout"
102) "15000"
103) "cluster-migration-barrier"
104) "1"
105) "cluster-slave-validity-factor"
106) "10"
107) "repl-diskless-sync-delay"
108) "5"
109) "tcp-keepalive"
110) "300"
111) "cluster-require-full-coverage"
112) "yes"
113) "cluster-slave-no-failover"
114) "no"
115) "no-appendfsync-on-rewrite"
116) "no"
117) "slave-serve-stale-data"
118) "yes"
119) "slave-read-only"
120) "yes"
121) "stop-writes-on-bgsave-error"
122) "yes"
123) "daemonize"
124) "yes"
125) "rdbcompression"
126) "yes"
127) "rdbchecksum"
128) "yes"
129) "activerehashing"
130) "yes"
131) "activedefrag"
132) "no"
133) "protected-mode"
134) "no"
135) "repl-disable-tcp-nodelay"
136) "no"
137) "repl-diskless-sync"
138) "no"
139) "aof-rewrite-incremental-fsync"
140) "yes"
141) "aof-load-truncated"
142) "yes"
143) "aof-use-rdb-preamble"
144) "no"
145) "lazyfree-lazy-eviction"
146) "no"
147) "lazyfree-lazy-expire"
148) "no"
149) "lazyfree-lazy-server-del"
150) "no"
151) "slave-lazy-flush"
152) "no"
153) "maxmemory-policy"
154) "noeviction"
155) "loglevel"
156) "notice"
157) "supervised"
158) "no"
159) "appendfsync"
160) "everysec"
161) "syslog-facility"
162) "local0"
163) "appendonly"
164) "no"
165) "dir"
166) "/var/lib/redis/.ssh"
167) "save"
168) "900 1 300 10 60 10000"
169) "client-output-buffer-limit"
170) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
171) "unixsocketperm"
172) "0"
173) "slaveof"
174) ""
175) "notify-keyspace-events"
176) ""
177) "bind"
178) "0.0.0.0 ::1"

We learn abit about the config file locations, the DB filename and that protected mode(whatever that is) is not enabled.. not much I can think of using so lets try the next command HackTricks suggests;

Looks like we will be able to get the public ssh_key for the user, red. After some more research we come to this blog; https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419 shows how we can use protected mode being disabled to upload our own trusted public key. As per that blog we create temp.txt and upload it to redis.

We can see our key s-key. Next what we want to do with our uploaded ssh key is to get it into the authorized keys file and save it, this way we should be able to ssh.

We don’t have permission to write the authorized_key to the user, reds .ssh folder so let’s try it in the default /var/lib/redis/.ssh. Now trying to SSH as Root, Red and Redis doesn’t seem to work. Let’s try again incase we did something incorrect, this time I will do it as root, just incase there is some unlikely permission issue. We run a flushall command in redis-cli to clear everything and begin again.
This time it seems to work, guessing I typo’d the DIR, or misspelled the auth_keys 😕 Who doesn’t love life..

So now we are logged into the system as Redis, we can view one other user on the system, /home/Matt and the user key is there but unreadable as Redis. The user Red seems to be a red haring. So now we will go through the system to see what we can see.

Checking through the bash history for redis we can see scan.py and sshd_config and id_rsa.bak. Lets check these out first. Sshd_config didn’t show anything interesting but we were able to find a passphrase protected id_rsa.bak file in /opt;

googling how to enumerate id_rsa files shows us we might be able to get a password from this file; https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c. We copy/paste the file contents into a file on our kali machine, setup john the ripper and.. ah… let ‘er rip!

Computer2008 seems to be our pass, so lets su into Matt and grab that user key.

Everythings coming up matthouse! So now we have user how will we get root. We know we have webmin and redis on the machine so are there any privilege escalations that will help? Checking running processes we can see webmin is being run as root so that might be a good start for checking;

Cant read most of the webmin files but we can confirm the version and search sploit shows one option for us.

And this is in MSF, we can be lazy. MSF module shows we need the webmin password to exploit. Lets see if Matt/computer2008 lets is log into it.

It does, we are in! 😊

Now we run and… we are in!

Lets see if we can get root flag now.

And we win! 😊