Postman Rooted by rival23
Summary: overall super fun and easy box made by TheCyberGeek.
Initial foothold using an unauthenticated redis instance was a cool example of why we put passwords on it.
Cracking rsa_keys gave away user access and an authenticated RCE gave away root.
Initial Enumeration
As Usual I start with performing a full port scan using nmap
After I get all open ports I start a more detailed scan on each of these ports
By using the tags -sC and -sV I tell nmap to look for service and version
Port Enumeration
PORT 80:
The website is still under construction. I decided to let some automated scanner do it’s thing and continue on other ports.
Port 6379:
I found a link with some interesting ideas and tried some stuff.
Using redis-cli we can see if the instance of redis needs authentication or not
When trying to connect to it it gives a kinda shell straight away, so no authentication required for this redis instance. Let’s exploit the crap out of it
Foothold: redis Unauthenticated rce
https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html
the idea here is to add our own ssh key to the authorized_keys file on the remote box. with our key injected we can ssh into the remote box using our own private key and have shell as redis user.
- Make a rsa_key using ssh keygen -> issue command and fill in al blanks
- Copy the id_rsa.pub into a text file
- Pass it along in a var for the redis client and connect to it after
- Save the content of the file into authorized_keys for redis user
- Connect as redis user using ssh
Now we have shell on the box as redis and time for some internal enumeration.
Priv esc 1 : user Matt
Ran linuxprivchecker
Using my own python webserver I managed to get an automated scanner on the remote box.
First setup the listener on own box using python3 -m http.server 80
Using wget on the remote box will make a GET request onto my webserver
We can see this request in the local kali which is a good sign and means it worked
To run the script you need to simply call it using python
After some looking around I found the id_rsa.bak in the /opt directory
In the header of the key tells us it’s encrypted, this means it needs to be cracked first
Using ssh2john I got the hash from the encrypted file and now that is crackable using john
Using john with format SSH we can simply pass the hash together with a wordlist and it gets cracked
Matt / computer2008 are the creds I got now.
Using ssh to get connection is not working, after some trial and error we find the right way to use these creds
With this we have now compromised user
ROOT
Now that we have Matt user on the box it is time for some more enumeration and look for a way to get root.
I looked at open ports again to see if there were any interesting ones that needed more info in the beginning.
Port 10000:
Following the redirect revealed a login page.
Tried Matt / computer2008 and gave us admin panel.
I stumbled upon a metasploit module for webmin 1.910 when looking for well known vulnerabilites using searchsploit
Start msfconsole using msfconsole and then look for the right module
After setting all options it should look like this
Note that SSL is true. A browser session to http://postman.htb:10000/ revealed this
Run the module using run or exploit
This gives us root shell and thus owned the box!
Pentesting with Rival 