4 min read
March 14, 2020

HackTheBox Writeup: Postman

Postman was an easy rated box which was a short and fun romp. A vulnerability in redis lead to a low privilege shell then a ssh private key with a weak passphrase allowed lateral movement. Finally, password reuse combined with a Webmin exploit was used to get root access.

Enumeration

nmap scan:

Let's check out http:

Nothing stood out there so let's check out Webmin:

This version of Webmin has vulnerabilities:

The unauthenticated exploits did not work so I put this aside after trying creds like admin/admin, admin/password.

After doing a bit more enumeration on the website and turning up nothing, I ran a full port scan which discovered an open redis port:

I connected to the redis port with netcat and confirmed that authentication was not needed:

Initial Foothold

Searchsploit showed that there was a possible vulnerability:

The Metasploit exploit did not work so a googling I went. I landed on this page talking about exploits based on master/slave replication exploits of redis but I had issues with redis modules not working. With a bit more searching I found this exploit that looked promising. Running it as-is gave a bunch of errors so at this point I installed redis-cli to and did some more enumeration. Here I checked out the configuration:

Towards the end of that I see an interesting path:

Aha! The script on github was trying to write to the authorized_keys in /home/redis/.ssh:

I changed some other paths to make things work - here's the diff between the original and mine:

I tried running the script again and this time it worked without any errors, giving us a stable shell as redis:

User Pivot

Redis' .bash_history file had some interesting activity:

There are a couple of things to take away from this. The redis user uses the command su Matt quite a bit. Also, 'id_rsa.bak' caught my eye. I started enumerating the system and eventually found this file in /opt:

I copied and pasted the contents of this file into an id_rsa file on my system and tried to ssh in as Matt only to find it had a passphrase on it. ssh2john was used to output a file that John The Ripper could crack:

This file was cracked in short order:

Trying to ssh in as Matt with the id_rsa file failed:

However, the password worked for su:

User flag:

Privilege Escalation

I took the creds over to Webmin was able to log in with Matt/computer2008:

Remember the Webmin exploits from earlier that needed creds? I used this Metasploit exploit with the following options:

Executing the exploit yielded a root shell:

Root flag: