Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Postman
|htbmachinesretired|

Summary

Postman,a Linux box created by HackTheBox user TheCyberGeek, was an overall easy difficulty box. You had to get the config from the redis and use that to set our ssh-key in authorized keys and get a SSH connection as redis user. Enumerating you will find an encrypted ssh key cracking that will give you a passphrase but using that with the key doesn’t work. but that passphrase work as User on Webmin. The Webmin have a authenticated RCE using which we get the root shell.

Enumeration

Lets start with nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Nmap 7.80 scan initiated Sun Nov  3 00:59:21 2019 as: nmap -sC -sV -oN nmap/postman 10.10.10.160
Nmap scan report for 10.10.10.160
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov  3 01:00:02 2019 -- 1 IP address (1 host up) scanned in 41.56 seconds

Lets check the web server.

We see just a static web-server and enumerating it we don’t see anything interesting.

Checking port 10000 we see it is Webmin but we don’t see anything interesting yet.

Enumerating Redis we see we can connect to the redis and get/set keys.

Looking for any RCE with redis we stumble upon any Redis RCE.

We can try GetShell via File Write. Lets try to get dir from the config using

I found a script which i could use after modifying the exploit.

Using which we get a low privilege shell.

Privilege Escalation

After getting the shell enumerating the file system we find an encrypted ssh key

cracking the passphrase using ssh2john and using john to crack that
we get the password as computer2008

Trying the key to get user we get authentication failure. on ssh and using that as the password in su we can get user.

we also try that credentials on Webmin we see we can authenticate with that.

Looking at the version 1.9.0 using which we get the shell.

and we can read root.txt a257741c5bed8be7778c6ed95686ddce

and we have pwned Postman 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/postman/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasyrediswebmin