HackTheBox – Postman Writeup [10.10.10.160]

Hello All, welcome to nav1n.com.

Here is my first post of this new blog. Let us start with a new active machine Postman. It is an easy level Linux based machine.

Let’s start.

As usual, add the IP of the machine 10.10.10.160 to /etc/hosts as postman.htb for easy enumeration.

Enumeration

To get started with I performed the namp scan. The result is below:

I found the SSH on port 22, a web server in port 80, a MiniServ 1.910 (Webmin httpd) in port 10000 and intrestingly Redis key store in the port 6379.

As usual, http://postman.htb didn’t reveal anything useful, so let’s move to another port 6379.

A quick Google search showed me a possible exploit written by Avinash at Github. https://github.com/Avinash-acid/Redis-Server-Exploit This exploit gives shell access on the target system if the Redis server is not configured properly and faced on the internet without any authentication.

However, this exploit can inject an RSA key to connect via SSH, with a valid user. After a while, a saw someone mentioned in the HTB forum that, there is an accessible route in / var / lib / redis. To get that route we need to modify the exploit code.

So, I replaced the following code the:

Exploit

So, after updating the avove, I ran the python exploit immediately.

Aaandd… we have the SSH access as user redis.

Post Exploit – Finding me the way in

Without wasting a moment, I started looking for hints and found the id_rsa.bak in the /opt directory.

Now that I have the RSA Private Key, I need to crack it and find the possible password for the user Matt. Lets see if John can do the job for me,

I copied the key in to my Kali and covert it to hash using ssh2john.

And then I let john to crack the hash using rockyou.txt

I relaized that the cracked password “computer2008” is user Matt’s password.

So I tried to switch from user redis to Matt using su Matt command. The user Matt has the password, I used the same cracked password, well..well.well, we now logged-in as user Matt.

Grabbing User.txt

Without wasting a minute I grab the user.txt

So, I found that the user Matt has access to the Webmin panel. So, I made a quick google search to find Webmin exploit. I actually found one, but someone suggested me that Metasploit has a working exploit built-in.

Rooting

So, I firedup Metasploit.

Grabbing the Root.txt

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
imd
imd
7 months ago

Well went exact route just skipped python script modification, gave it radis user )

Sorry, that action is blocked.
%d bloggers like this: