Postman is a retired machine running on Linux. The whole deal kicks off with a misconfigured Redis service just waiting to be exploited. Drop your public key in there, and boom, you’re SSH-ing into the box. Then comes this encrypted SSH private key, but don’t sweat it — a little John the Ripper action and you’re in as a user. And for the grand finale, snagging root involves cozying up to an authenticated vulnerability with the help of our good friend Metasploit.
First thing I do is of course nmap:
nmap -sS -sV -p- <IP> 
From the scan, there are 4 ports open. I won’t even bother with port 22 right now because OpenSSH 7.6p1 is still fairly new and there is no exploit that is suitable for it right now. Port 80 is running Apache httpd 2.4.29, and port 10000 is running MiniServ 1.910 (Webmin httpd).
Port 80
The page says it is under construction.
I ran gobuster to see if we can find some interesting directories.
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Found a few directories, but there is nothing really interesting here. Lets move on.
Port 10000
Interesting. I followed the link and it lead me to a Webmin login page. I tried to login using basic credentials like root:password, but it doesn’t work.
Knowing the version, MiniServ 1.910 (Webmin httpd), lets do a quick search for exploits using searchsploit.
There are a few exploits available for Webmin. One exploit that is suitable for this version requires a valid login. Lets keep digging, hopefully we can find some credentials.
Port 6379
Lets see if we can interact with Redis.
redis-cli -h <IP>Boom! No authentication needed. Lets check the directory we are in. Knowing that a /.ssh directory is inside the redis folder, we are going to set our directory to that directory.
config get dir
config set dir /var/lib/redis/.ssh
This article by Victor Zhu goes in detail about how to attack redis misconfiguration. We can generate a private key and public key for SSHing into the target machine. Using what I learned from the article, I generated a ssh key pair using the ssh-keygen command and leaving the passphrase empty:
ssh-keygen -t rsa -f <name>
Next, copy the private key in to d3ad.txt using the command:
(echo -e "\n\n"; cat d3ad.pub; echo -e "\n\n") > d3ad.txtI then smuggle the key to the victim machine using the redis-cli command:
cat d3ad.txt | redis-cli -h <IP> -x set crackitI then save what’s in memory to a file called authorized_keys.
Now, to try to get into SSH using our new Redis key.
We are in! Time to poke around.
ls -al
.bash_history seems interesting, lets cat it.
Who is Matt? Is he a user? Lets cat /etc/passwd to find out.
Lets see what else he has.
find / -user Matt 2>/dev/null
A backup of a rsa key? a key normally used for ssh? Interesting. Lets get that file.
After saving it as text, we will need ssh2john to change it into a format John can read. Seems like I’m running into some issues here.
ssh2john.py matt.txt
Okay, not gonna lie, I am very bad with any type of scripting. But luckily, a quick Google search took me to Aaditya Jain’s post on LinkedIn. It seems that on line 103, I just had to change the `data = base64.decodestring(data)` to `data = base64.b64decode(data)` and this will make the file work. Now lets try it again.
Nice! Now save it as hash.txt using:
python3 rip.py matt.txt > hash.txtCracked the hash using John and got the password for the user Matt. The same password works on the Webmin login page from earlier too.
Metasploit
Now that we have a username and password, we can use the exploit we saw earlier.
Aaannndddd we are in!
Now you just have to search for the flags and you’re done.
Happy Hacking :)
