Design a site like this with WordPress.com
Get started

The walk through of Postman Box from HTB.

Description:

Another Easy box from Hack the box that released on 02, NOV, 2019 with Linux as an OS and IP 10.10.10.160.
Briefly, exploiting of redis service give us access to enumerate and find credentials that help us to exploit webmin and pwn the box.
Let’s see this process in more details!

[1] Information gathering:

As usual, i start the information gathering process by nmap scanning to find all open ports and services.
Note: i added 10.10.10.160 to /etc/hosts as postman.htb
Nmap takes a long time to scan all ports so, we can start with a quick scan first and in-depth scan.

nmap -sV -sC -A -p- postman.htb | "scanning all ports and services with nmap tool"
i found 4 open ports as follow:
[22, ssh]
[80, http]
[6379, redis v4.0.9]
[10000, miniserv v1.910] 

Then i used gobuster tool to brute force directories and i didn’t found anything interested.

gobuster dir -u http://postman.htb/ -w /usr/share/dirb/wordlists/common.txt | "gobuster tool useed to brute force directories and file with different options"

And the port 10000 gives me a login panel but i didn’t have credentials to login and exploits for this version requires credentials to work.

[2] Scanning:

I searched for exploits of redis service and i found one exploiting unauthenticated redis to create an ssh connection.

[3] Exploitation:

This script requires ip_address and a path to create the ssh so, after searching on google i found the path to redis user directory and i edited the script to be as follow:

Note: Don’t try anything you don’t know how it works! and remember that google is your best friend.

After finishing the script i executed it and it give me a shell with redis permissions.

[4] Privilege Escalation:

I enumerated some information for privilege escalation and i found an ssh key.

it was protected by passphrase so, i used john tool to crack the passphrase by rockyou wordlist.

/usr/share/john/ssh2john.py matt.key > matt.hash | "this command used to create a hash to make it understandable by john to crack."
john --format=SSH matt.hash --wordlist=/usr/share/wordlists/rockyou.txt | "john tool used to crack different hashes"

For now, we have a user called ‘Matt’ and a password ‘computer2008’, i tried these credentials different time but it didn’t work because i was writing ‘matt’ instead of ‘Matt’! believe me i spent hour to enumerate again because i didn’t give attention to the case sensitive!

I tried these credentials on webmin and finally it opened.

I searched for exploits related to this version and i found one on metasploit.
i used it and provided it with necessary options and it give me root permissions.

The root and Matt flags were as follow:

Finally, Thank you and i hope you learned something new!

For any question, you can find me on:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Start a Blog at WordPress.com.

Up ↑

%d bloggers like this: