Port scan

Initial shell

/var/lib/redis/.ssh

Own user

=

Own root

My lessons learned

Users' home directories aren't always inside the directory /home.

Read the manual carefully when using tools' options.

Otherwise, you will waste time trying to fix john like me when cracking the private key's passphrase.

Otherwise, you will waste time trying to fix john like me when cracking the private key's passphrase. Users often tend to reuse the same password on many accounts.

Hi,Welcome to my blog!The box Postman has just retired on Hack The Box . It's one of the boxes I solved for OSCP preparation. In this post, I write about how I manage to own this machine. The initial shell may be a little tricky but the user and root owning are actually pieces of cake.As usual, I use nmap to scan all ports of the box.There are two interesting ports here: 6379 and 10000. The port 10000 runs Webmin version 1.910. I try using the CVE-2019-15107 exploit but it's failed because changing of expired passwords is not enabled.Let's take a note about it and then dig into the Redis service running on port 6379!This is the most difficult part due to the multiplayer environment. Many people continuously change the config directory of Redis.First, I search for a Redis exploit on Google and it comes up with a Metasploit module , which will make a reverse shell back to my machine. Unfortunately, there is no MODULE LOAD command on this Redis server so the exploit is always failed.I then try to drop a web shell in the foldersandbut no luck. The Redis server is not running with root privilege and it doesn't have write-privilege on those web directories.However, if you reset the machine and connect to the port 6379 again, you will see the default config directory is. Is this very strange?At this point, I think that the Redis server is running by theuser and its home directory is. So, I decided to write anfile inside thedirectory and thento theuser. To avoid interruption from other users, I write a bash file to automate and make the exploit fast enough. And then, the shell pops out.Enumeration is the key! First, I useto enumerate all files owned by the user Matt.The filelooks promising, maybe it's the backup of Matt's current private key.I immediately copy it to my machine and useto crack its passphrase. Something went wrong,withcan't crack it. Someone on the forum also said that he can't usewith. After trying many ways, from customing my own wordlist to reinstallfrom the Github repository , it comes up that I forgot an "" after the optionAlthough I have Matt's private key now but I still can'tto the Matt user on Postman. Something is very funny that Matt is denied toto the machine in the SSH server configuration.Fortunately, people often reuse password so Matt is not an exception. The private key's passphrase is also his user's password. Just switch to Matt's account and capture the user flag!Do you remember the Webmin service when we scan the machine's ports? Now, it's time to use it.We can sign in to Webmin by using Matt's credentials so we can also exploit it by using CVE-2019-15642 . This exploit requires a base64 encode of Matt's credentials to authenticate by HTTP Basic Authentication . It's very simple, I just useto get root privilege and grab the root flag!If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.Thank you for reading!