Mar 14, 2020
Postman was a quick, simple machine from HTB. We start off with a redis exploit for initial foothold, then pivot to user by using JTR to crack a backup SSH key before finally using an authenticated Webmin exploit to escalate ourselves to root. The only real tricky part of the machine was having to do a bit of guess work of the redis user's home directory. Otherwise, this machine was a welcome mental break from some of the previous harder ones like Bankrobber or Zetta.
Let us kick things off with our regular NMAP scan.
Alright, so trusty SSH, an Apache instance, a redis instance, and seemingly another web-based Webmin instance. Checking out the Apache instance doesn't give us all too much information.
Unfortunately even checking the source code does not reveal more value to this page. Let's try the Webmin instance and see if we can get any further.
Alright this looks a bit more promising. The downside is there is no version number listed anywhere. We can try logging in using admin/admin and other default sets of credentials, however no luck with that approach. If we take a look at searchsploit for potential exploits we have quite a few options.
We can rule out the authenticated exploits for now since we don't have a sets of credentials. After a bit of trial and error nothing pans out with the Webmin angle. One last service to check, so let's take a look at redis.
Immediately upon searching I find a several redis exploit examples. The most interesting example was from the redis author about the security of the underlaying AUTH model. There is even an available repo where this has been scripted up. Perfect, let's see if we can use this to get an initial shell.
Here is where the frustration starts... everything _seemed_ to be going well, however I did not end up getting the shell. I tried a few different variants, including running the exploit commands manually, even trying the Metasploit module which would attempt to exploit the same angle - all unsuccessfully. After a lot of headscratching and searching around I found an interesting nuance. The exploit was trying to use the "home" directory of:
However we find that a redis user sometimes uses /var/lib/. If this is the case the exploit would definitely not work as-is. Let's try modifying the exploit and using the modified home directory.
Alright! We have a foothold! As a side note instead of a fancy script we could achieve the same result with the following manual commands then ssh'ing to the host directly.
Now that we are in, it seems that our redis user does not has access to the flag - unfortunate. We need to do a bit more digging at this point. Right in the redis home directory we see an interesting .bash_history file. Let's see if we can pick out any interesting details from there.
Excellent. We now know there is a user Matt and it looks like they may have backed up their SSH private key... hum, maybe we can find the file laying around.
Oh-ho ho! Password protected says you. Cracking time says me. Let's get the file over to our machine and start the process. First we need to run it through sshng2john.py to get the file in a format JTR will understand.
Making sure we remove the extra line at the start, we can then run it through John.
Perfect! We now have a set of credentials - Matt/computer2008. All that is left is to impersonate Matt.
User down, time to hunt root!
Root was a little simpler than getting user, mainly because we already did the recon required for escalation without knowing it at the time. Once we acquired the shell as Matt some poking around didn't really give us a logical next step. Now with a set of credentials however, maybe we can go back and use some of those authenticated Webmin exploits? First let's log in to the Webmin portal and see if we can find any additional information - maybe something like a version number.
Sure enough, right on the home page we see that it is running version 1.910. If we go back up to our Webmin searchsploit output.
We see that there is a metasploit module for the exact version. Let's get it configured and see if it works as is, or if we need to tweak anything as we did with the previous redis exploit!
Alright, and now if we kick it off...
And just like that, our journey with Postman is complete. Thanks folks, until next time.