linux-machine nmap redis ssh john-the-ripper webmin metasploit

[ROOT] Walkthrough Postman

Hackthebox - Linux Machine

Posted by rmn0x01 on Sunday, June 8, 2025

Exploiting Linux Machine having unauthenticated Redis server.

Intro

Postman

Recon

NMAP scan: NMAP1 NMAP2

Found port 80, save for later web

Play around for default port, found default Redis port in 6379: redis

Redis Exploit

From this article, it is known that we can smuggle our SSH public key to an unprotected Redis server, with steps:

  1. Generate RSA key pair RSA Key Pair

  2. Craft a payload Payload

  3. Smuggle it in Smuggling it in

  4. From the redis side, open the redis-cli (remember we have an unprotected redis server) Redis-cli

  5. SSH time! SSH

Recon as Redis

Now we have access to the server as redis user, start another recon session, and enumerate all files and directories, found this in /opt/id_rsa.bak Matt

Escalate to Matt’s User

Having Matt’s id_rsa, we can start the John The Ripper to bruteforce the password ssh2john

Password: computer2008

Try to switch to user Matt having the password above: Switch user

Voila! Matt’s access gained and we have our User Flag Matt

FLAG user : 517ad0ec2458ca97af8d93aac08a2f3c

Recon as Matt

Circle back to discovered port from nmap above, we have port 10000, that if we opened it, a webmin with login-password page. Log with Matt’s user password (Matt:computer2008) and we have Webmin

Knowing the version is 1.910, we’ll use a combo of searchsploit and msfconsole to find the exploit of this exact version of webmin searchsploit msf

Exploit

Use msf5 to exploit msf5

Root access gained :), read the flag and we’re done! root FLAG ROOT : a257741c5bed8be7778c6ed95686ddce

CATALOG
    FEATURED TAGS
    compfest11 cryptography dirbuster forensic gemastik12 hology john-the-ripper linux-machine nmap picoctf2019 slashroot ssh steganography steghide wireshark