Postman retired the 14th of March 2020, and now we can publish it's write-up freely.
Let's go a head and do a scan using nmap :

nmap's results

We see that we have 4 ports, SSH, HTTP, and 2 others... If we check the web server with the port 10000 we'll have something like the following :


And about the other port (6379), as you can see it is a Redis-cli port...

If you searched for some redis exploit you'll find this one on github :

This will give you shell access on the target system if redis server is not configured properly and faced on the internet without any authentication - Avinash-acid/Redis-Server-Exploit

It simply create a new pair of keys (public and private) and it sends it to "authorized_keys" in the redis home directory which is : /var/lib/redis/.ssh/authorized_keys.

You will have something like this after running the script :

Boom !! We got a shell... Now time to enumerate

First thing I did is I looked for any *.bak files :

We found a private key... Let's copy it and crack it using john.

You should have something like this... Now again JOHN

First of all we get a hash from the private key :

And then we bruteforce it using John with rockyou.txt

Bingo we have the pass "computer2008" you can get the username just by doing "ls /home" in redis ssh session, The user is Matt... Let's get that user flag.

On the redis ssh session let's switch the user to Matt :

and then "cat /home/Matt/user.txt"


For the root, we must not forgot that we have a webmin open port... We're going to use metasploit for this part

Let's put in the informations

There you go :

Now "cat /root/root.txt" and you owned the root flag...

I hope you liked this write-up, we will publish more write-ups in the future. Untill then seeyaa :D