HackTheBox - Postman


01:00 - Begin of nnmap scan
01:45 - Checking out the website, trying to identify what technology runs the site
03:20 - Nmap scan finished, start more recon (GoBuster and full nmap port scan)
07:00 - Trying to find out when the website was stood up with exiftool
09:00 - Full nmap showed the REDIS port, initial poking
10:55 - Searching the internet for things you can do with a REDIS Server
14:50 - Dropping a webshell didn't work, lets try dropping an SSH Key
16:30 - Discovering the location of a .ssh directory by guessing the default (/var/lib/redis/.ssh)
19:30 - Got a shell on the box!
22:00 - Running LinPEAS
29:45 - Running LinEnum twice (once with throrough mode enabled). To make sure we have good recon.
33:10 - Discovering Matt logged in at a time we did not previously have
36:07 - Discovering an encrypted SSH key, cracking the SSH Key with John
40:00 - SSH failing to work, decide to just use "su" to switch to the Matt User
42:00 - Discovering we can login to WebMin with Matt
42:48 - Running searchsploit, then using Metasploit to exploit Webmin
45:30 - Root shell returned, set Metasploit to go through burp and play with it until we get the exploit working.

HackTheBox - Postman HackTheBox - Postman Reviewed by Anonymous on March 14, 2020 Rating: 5