Postman Hack The Box (HTB)
Hello guys today Postman got retired by hack the box team and we’ll do a walk through on it . It’s a machine from hack the box with an IP address of 10.10.10.160. The initial foothold is exploiting Redis (unauthenticated) and uploading ssh public keys and using those keys we are able to ssh to the box using our our private keys. let’s begin
First i did a TCP scan for the top 1000 port and found 3 ports open
Decided to enumerate port 80 since it’s the easiest attack vector but turned to be rabbit hole. I focused my attention on port 10000 webmin but it required credential and too many failed login attempts caused a temporary lock down. So i got stuck and decided to run a UDP scan on the computer using NMAP and voila one post was open. Redis key-value store 4.0.9
I did some basic google search on the service and i found that the version was vulnerable. You can get the exact information for the link below
Since it was configured to be accessed without authentication, i generated my ssh keys using the command
ssh-keygen -t rsa
uploaded using redis-cli a tool that comes preinstalled in parrot OS i uploaded the keys to the web server
Now i connected to the machine using redis-cli and saved uploaded the ssh public key
The ssh keys will be stored in /var/lib/redis/.ssh/
After uploading the public keys and using our private keys that we generated we get a shell in the box.Now its time to escalate our privileges to toot user
So i decided to run LinEnum privilege escalation script. According to my option it the one best script to find privilege escalation vectors in a Linux operating system. I did set up a FTP server on my local box and downloaded the script to the target machine using WGET
After running the script using the command
bash LinEnum.sh
We get a backup private ssh key that belongs to Matt a user in the box
I copied the private key to my local machine but there is a catch the private key is encrypted with a passphrase and we’ll have to crack using john the ripper. First i extracted the hash from the private ssh key using the following command
/usr/share/john/ssh2john.py id_rsa.bak > hash
Then cracked the hash using john the ripper. I used the rockyou wordlist and voila we get the password computer2008
Now i tried to ssh into the machine as user Matt but all attempts failed
I decided to log in into the box as a regular user using the su command using the password cracked from the backup ssh private file and boom we had a user shell in the box meaning we could read user.txt
Now we have to escalate our privileges to root. I did dome more enumeration on the box and discovered that webmin was running as root meaning if we successfully exploited the application we could get root access to the server
Using a web browser i tried to login to the webmin server using default credentials like admin:admin,admin:password:password,guest:guest but they were unsuccessful i decided to user Matt credentials and lucky got access to the webmin
And it exposes the version number as 1.910. I decided to search for exploits using searchsploit and
We get an exploit that appears to be remote code execution and lucky for us it’s a metasploit module
That appears to be our exploit. I configured the RHOST,USERNAME,PASSWORD and SSL
After i had configured the exploits i ran and boom!!!!!
We get a shell in the box that is running as root. Now i upgraded it to a proper shell
Now it’s time to get the root flag
Can’t post the flags that you’ll have to get on your own when you tackle the box . That’s it guys Hope you’ve learnt something