Postman
Table of Contents
| Logo | Creator | OS | Difficulty | Points | Release |
|---|---|---|---|---|---|
|
TheCyberGeek | Linux | Easy | 20 |  |
Initial Scan⌗
I started with an initial NMAP scan of the host, and discovered ports 22, 80, and 10000.
Command: nmap -F -oN nmap/quick 10.10.10.160
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10000/tcp open snet-sensor-mgmt
Further script scanning revealed an Apache service and a MiniServ service.
Command: nmap -sC -sV -oN nmap/def-script -p 22,80,10000 10.10.10.160
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-server-header: MiniServ/1.910
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web Server Exploration⌗
The Apache server is running version 2.4.29, which doesn’t have any easy public exploits as far as I can tell. It’s running The Cyber Geek’s personal website, which doesn’t have much going on. The MiniServ port gives me an error that tells me I need to specify the hostname, rather than the IP address. By editing my /etc/hosts file to add the line 10.10.10.160 postman, I can view the site at https://postman:10000. After looking for a bit, there’s also not much I can do with this, so it might be a rabbit hole. There is an exploit for the MiniServ (Webmin) 1.9.10 version, but it requires authenticated access so I’m out of luck.
Further Scanning⌗
Doing a full port scan, I find that port 6379 is also up and running redis.
Command: nmap -p- --max-retries=1 -vv -oN nmap/full-tcp 10.10.10.160
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
6379/tcp open redis syn-ack ttl 63
Further enumerating with scripts, I see that its version is 4.0.9.
Command: nmap -sC -sV -oN nmap/more-script -p 6379 10.10.10.160
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.9
Exploiting Redis⌗
Redis is an open source BSD data structure storage system that is often used like a database. The second result when I search for exploits on this version gives me a script that will give me SSH access to the host via misconfigurations in redis, located here. It requires the redis-cli tool and runs commands to create a new database file in /home/<user>/.ssh/ for whatever user I specify, and add my SSH key to the authorized_keys file. They’re fairly simple commands, so I’ll run the script and correctly assume that redis is running with the user redis:
# Upload the key to give me access
python redis.py 10.10.10.160 redis
# Log in with my default id_rsa key
ssh [email protected]
Getting User Access⌗
After poking around on the server for a bit, I discovered a file called id_rsa.bak in the /opt directory. How interesting. Looking at the file permissions, it’s owned by the user Matt. I copied it to my host and cracked it with sshng2john and JohnTheRipper:
python sshng2john.py id_rsa.bak > id_rsa.encrypted
# Then I manually deleted the first line of id_rsa.encrypted
# to format the file for JohnTheRipper
john id_rsa.encrypted
Now I have credentials: Matt:computer2008!
Getting Root Access⌗
In order to get root access, I went back to the MiniServ (Webmin) exploit I found initially. That required credentials which I now have, and it gives root access. There’s a Metasploit module and I was lazy when I finished this box, so that’s what I used. I started Metasploit, set the module to use linux/http/webmin_packageup_rce, set the payload to a perl bind shell cmd/unix/bind_perl, set the credentials for Matt, and ran the exploit to get a root shell.