HackTheBox Writeup — Postman

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Running masscan on it , we get

masscan -p1-65535,U:1-65535 --rate=500 -e tun0

5 Open Ports discovered, running NMAP against them

Port 22 running OpenSSH, Port 80 Apache httpod 2.4.29, Port 6379 running Redis and Port 10000 runing http Miniserv 1.910

Moving onto the Web Part

Opening the web services in browser

Nothing much interesting here

Running Gobuster scan against it, we get

Nothing interesting either too here we got, looking further in the highest web ssl port

A login page appears, trying random creds didnt worked here

We also saw Port 6379 Open which was Redis , looking for its exploits we got a Python script which we had to modify a little bit

<script src=”https://gist.github.com/kNgF/0b2295e115317360f218c82820a1593a.js"></script>

Going into the /opt directory

We see there is a backup file named id_rsa.bak owned by Matt which is a user on the box

Looking into the contents of the backup file

It’s an encrypted SSH key, which we will take in our box and then crack the passphrase

Using sshng2john to make is crackable with John

Now we use John to crack the passphrase

We got password as “computer2008”, login in as Matt user through su with the cracked password

We got in as Matt user, moving onto getting user flag

Now moving on to priv esc part

Since we remember that on Port 10000 we had WebMin running

Now trying the creds of Matt User

We got in successfully and are presented with a dashboard, looking for its exploit in metasploit

I used the number 2 exploit which was Package Update RCE

Setting up the options

Time for hitting the exploit

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store