Hack The Box - Postman - Write-up

Welcome to my blog!

The box Postman has just retired on Hack The Box. It's one of the boxes I solved for OSCP preparation. In this post, I write about how I manage to own this machine. The initial shell may be a little tricky but the user and root owning are actually pieces of cake.

Port scan

As usual, I use nmap to scan all ports of the box.

There are two interesting ports here: 6379 and 10000. The port 10000 runs Webmin version 1.910. I try using the CVE-2019-15107 exploit but it's failed because changing of expired passwords is not enabled.

Let's take a note about it and then dig into the Redis service running on port 6379!

Initial shell

This is the most difficult part due to the multiplayer environment. Many people continuously change the config directory of Redis.
First, I search for a Redis exploit on Google and it comes up with a Metasploit module, which will make a reverse shell back to my machine. Unfortunately, there is no MODULE LOAD command on this Redis server so the exploit is always failed.

I then try to drop a web shell in the folders /var/www/html/ and /var/www/html/upload/ but no luck. The Redis server is not running with root privilege and it doesn't have write-privilege on those web directories.

However, if you reset the machine and connect to the port 6379 again, you will see the default config directory is /var/lib/redis/.ssh. Is this very strange?

At this point, I think that the Redis server is running by the redis user and its home directory is /var/lib/redis. So, I decided to write an authorize_keys file inside the .ssh directory and then ssh to the redis user. To avoid interruption from other users, I write a bash file to automate and make the exploit fast enough. And then, the shell pops out.

Own user

Enumeration is the key! First, I use find to enumerate all files owned by the user Matt.

The file id_rsa.bak looks promising, maybe it's the backup of Matt's current private key.

I immediately copy it to my machine and use john to crack its passphrase. Something went wrong, john with rockyou.txt can't crack it.
Someone on the forum also said that he can't use john with rockyou.txt. After trying many ways, from customing my own wordlist to reinstall john from the Github repository, it comes up that I forgot an "=" after the option wordlist.

Although I have Matt's private key now but I still can't ssh to the Matt user on Postman. Something is very funny that Matt is denied to ssh to the machine in the SSH server configuration.

Fortunately, people often reuse password so Matt is not an exception. The private key's passphrase is also his user's password. Just switch to Matt's account and capture the user flag!

Own root

Do you remember the Webmin service when we scan the machine's ports? Now, it's time to use it.
We can sign in to Webmin by using Matt's credentials so we can also exploit it by using CVE-2019-15642. This exploit requires a base64 encode of Matt's credentials to authenticate by HTTP Basic Authentication. It's very simple, I just use curl to get root privilege and grab the root flag!

My lessons learned

  • Users' home directories aren't always inside the directory /home.
  • Read the manual carefully when using tools' options.
    Otherwise, you will waste time trying to fix john like me when cracking the private key's passphrase.
  • Users often tend to reuse the same password on many accounts.

If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!