Writeup of Postman From HackTheBox

Getting a Shell

For the initial port scan, we use the following nmap command:

nmap -sS -A -Pn -T5 -p- -oN postman.txt 10.10.10.160

The scan reveals the following services:

• ssh
• http apache
• redis
• http webmin

Even after running dirbuster on it, the website on port 80 doesn’t seem to have any glaring vulnerabilities. According to metasploit there are unpatched vulnerabilities for webmin, but those require us to be logged in. The only target left is Redis. The service does not require any auth, making it an interesting target. Metasploit offers an unauthed exploit, which sadly doesn’t work since the MODULE LOAD command seems disabled/not installed.

A quick search reveales a python script, which drops our ssh-key into the specified users /home/-directory on the remote machine. Executing it the script with the “any” user fails since Redis is not allowed to access /home/-subdirectories. Another interesting user is the “redis” user, who has their home-directory in /var/lib/redis/. We edit the script to change the destination of our payload to this directory.

We now execute our modified script.

And we have a shell.

Getting user and root

Next we check the machine for interesting files sadly we can’t access /var/webmin/ and can’t read the files in /var/backup/. But there is another interesting file /opt/id_ras.bak.

The key in encrypted, so why don’t we decrypt it? John the Ripper is able to brute force ssh-keys, but we have to convert them first using ssh2john.py. We also use a word list: the classic rockyou.txt.

John returns the password computer2008, but the ssh login uses a different password. What doesn’t is the webmin login, here we can log in using Matt/computer2008. There seems to be only one module activated: the package update, which is conveniently vulnerable to a metasploit payload.

After entering the correct parameters we run the exploit and gain root access.