Hack The Box – Postman Box Writeup By Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Postman which retired very recently. It was actually a fairly easy box and was based on Linux. So without further ado let’s begin…

 

 

Recon

We’ll start with our recon by doing an Nmap scan.

nmap -T4 -A -p- 10.10.10.160

 

As we can see that port 80 is open so let’s check that first in our browser.

So nothing much interesting here.

 

Exploitation

We do see that port 6379 is open which is used by the redis server(a data structure store used as a database). On further googling a little bit, we can find an exploit which takes advantage of a misconfiguration and authentication flaw. All we need is the IP address and a username. So let’s just guess the user to be redis

python redisexploit.py 10.10.10.160 redis

Here is the link of the exploit.

 

And we are in  but still we won’t be able to access the user flag. So lets first check all the users in the machine by viewing the /etc/passwd file…

 

So probably Matt is the user that we need to target.

After a bit of viewing all the files in the directories we can find a ssh private key backup inside the /opt directory.

 

Lets transfer that first to out host machine and we can try to crack it using John. But John cannot directly crack this key so we need to convert this to a format. This could be done using ssh2john.

ssh2john id_rsa > hash

 

Now let’s start John the Ripper to crack this hash. We will be using rockyou wordlist in order to crack this.

So the password is computer2008  !!!

Let’s try to elevate our privileges to Matt by doing su Matt and once we are in we should be getting our user flag.

And we got our user flag !!!

 

Privilege Escalation

Now moving on for our root flag.

If we recall a little bit, we had found Webmin running on port 10000. Searching a little bit on google you’ll come across  an authenticated remote code execution vulnerability in Webmin 1.910 and lower versions wherein any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges and we also have a metasploit module for it.

So let’s start our metasploit framework by typing in msfconsole. But make sure your metasploit is upto-date or you can simply add that particular ruby file manually.

Once the metasploit is up type in the below module to use that particular exploit.

use exploit/linux/http/webmin_packageup_rce

Type in show options to list out all the fields that are required for this exploit to run like setting up your remote host, ip, username and password and do not forget to set the SSL to true.

Once everything is set, type in run

 

So we got our reverse shell. Now move onto the /root directory to get the root flag.

 

That explains it all.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Wall Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *