HackTheBox Writeup — Postman
Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.
The IP of this box is 10.10.10.162
Port Scan
Running masscan on it , we get
masscan -p1-65535,U:1-65535 10.10.10.162 --rate=500 -e tun0
5 Open Ports discovered, running NMAP against them
Port 22 running OpenSSH, Port 80 Apache httpod 2.4.29, Port 6379 running Redis and Port 10000 runing http Miniserv 1.910
Moving onto the Web Part
Port 80 — Web
Opening the web services in browser
Nothing much interesting here
Running Gobuster scan against it, we get
Nothing interesting either too here we got, looking further in the highest web ssl port
A login page appears, trying random creds didnt worked here
We also saw Port 6379 Open which was Redis , looking for its exploits we got a Python script which we had to modify a little bit
<script src=”https://gist.github.com/kNgF/0b2295e115317360f218c82820a1593a.js"></script>
Going into the /opt directory
We see there is a backup file named id_rsa.bak owned by Matt which is a user on the box
Looking into the contents of the backup file
It’s an encrypted SSH key, which we will take in our box and then crack the passphrase
Using sshng2john to make is crackable with John
Now we use John to crack the passphrase
We got password as “computer2008”, login in as Matt user through su with the cracked password
We got in as Matt user, moving onto getting user flag
Now moving on to priv esc part
Privilege Escalation
Since we remember that on Port 10000 we had WebMin running
Now trying the creds of Matt User
We got in successfully and are presented with a dashboard, looking for its exploit in metasploit
I used the number 2 exploit which was Package Update RCE
Setting up the options
Time for hitting the exploit
We got Command Shell as root, getting a perfect tty shell and getting the root flag