We covered the enumeration of Redis NoSQL database server and exploitation using SSH. This was part of HackTheBox Postman
Windows Privilege Escalation Techniques Course
Challenge Description
Postman is an easy difficulty Linux machine, which features a Redis server running without authentication. This service can be leveraged to write an SSH public key to the user's folder. An encrypted SSH private key is found, which can be cracked to gain user access. The user is found to have a login for an older version of Webmin. This is exploited through command injection to gain root privileges.
Video Transcript
HackTheBox Postman is part of Metasploit track, which we are doing as you can see we have only three machines left to finish this track. So this machine is relatively easy and revolves around the Redis which is NoSQL Database. We’re going to explore this database to gain a limited access or limited shell access from which we’re going to Pivot to a webmin web server running on the machine. We’re going to gain admin access and then we’re going to take root. So let’s get started. We have webmen running on version 1.910 and we have I figured also we have redis running on port 6379. The regular website running on ports 80, but basically you’re not going to find anything. Even if you run dirbuster or gobuster.
We launch msfconsole from Metasploit to exploit the Redis database and by the way don’t forget to add the IP address of the postman to the /etc/hosts file. Eventually we generate an SSH key pair and use them along with what we have on the Redis database to gain the first foothold on the machine as the database user. After you get access you will find a private key id_rsa in /opt which you need to decrypt using ssh2john and then use John with rockyou.txt wordlist to extract the passphrase of this private key then you can login to the target machine using the user Matt through SSH.
Then again we use Metasploit to escalate privileges through the vulnerable Webmin leading to root access.
Video Walkthrough