Things I have learned

  1. How to check Redis’ vulnerability by using redis-cli.
  2. Detail enumeration with nmap, my first attempt of scanning I did not discover the redis port.
  3. How to enumerate with redis-cli.

NMAP enumeration

nmap -sC -sV -p- -oN postman -vvv
-p- this is a shorthand of -p 1-65535 so this option scans all ports.

From the enumeration results they are these ports of interest tcp/80, tcp/6379 and tcp/10000.

Web page

I am looking at the to see what is interesting, however this is a static web page, whenever it is a webpage it is always good to do web fuzzing with dirb, dirbuster or gobuster.
gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_result

Browsing the Webmin login page

TCP/10000 is the webmin login page, but the page has an error as it does not have a re-direction.
post2, at first I added a host entry in my /etc/hosts but this is not necessary, just change to which presents a login page.
I am trying some easy sql injection test and see if webmin will throw up any sql error with '# and ' or 1=1# in username field.
But the webmin login page was not reacting to simple sql injection test.
Searching the web I notice webmin 1.9.1 has an “Package updates” remote execution exploit, however to use this I need to get the username and password that can do package update because I have not obtained any credentials yet so I will be coming back to this later.

Exploiting redis 4.0.9 to gain ssh connection

This is a good read on how to exploit redis with redis-cli.

My kali linux did not have the redis-cli so I downloaded it with apt install redis-tools.

The first is to check if I can execute some commands like config get dir or config get *, to connect to Postman use this redis-cli -h or I can execute the command together like this redis-cli -h config get dir, this config get dir gets the current home directory of the connected user (which is redis).


Since I can execute the command without authentication, I can change the current working directory and also to save the dbfilename like this:

I can generate my own rsa key pair and submit the public key over to Postman through redis-cli without authentication, these are the steps:

ssh-keygen -t rsa -f /root/htb/postman/id_rsa where /root/htb/postman/id_rsa is the path I want to save the key pairs.


Insert two newline on both the heading and trailing of the id_rsa.pub like this (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n") | tee payload.txt

this payload.txt will be piped to the redis-cli to submit to the Postman.

cat payload.txt | redis-cli -h -x set redis_rsa

Try to establish ssh as redis user to Postman, before ssh do chmod 600 to the rsa pub key like this chmod 600 id_rsa.pub, then connect with private key like this ssh -i id_rsa redis@

After a ssh connection is gained, I changed directory to /home and when I listed the directory a directory – Matt – was discovered. The user.txt file was owned by Matt and only user with Matt group can view the file.

As expected redis is not in Matt group.

Escalate to Matt user

Find Matt user’s related file with the find command, by doing this find / -type f -user Matt 2>/dev/null
This command line means to find all files related to Matt user, and hides all error messages by 2>/dev/null.

There is a key in /opt/id_rsa.bak checking the permission reveals that others can also view the file.

So I get the contents of the rsa key and pasted it in my own kali linux machine, in HTB whenever you see there is a rsa key get its content and use ssh2john to convert to hash, then use john to crack the password.


I usually use rockyou.txt as wordlist to brute force the rsa key passphrase, john --wordlist=/usr/share/wordlists/rockyou.txt hash.

The passphrase discovered cannot be used to login directly through ssh with Matt as user.

This is because Matt is denied to logon as ssh.

But…changing to Matt with su - Matt with the discovered password is ok…


Privilege escalate to root

With Matt’s credential I tried to see if I can use it to logon to webmin

Well Matt has rights to update packages…this makes this exploit very usable…

In my exploitdb the exploit for webmin 1.9.1 Package update remote code execution is available…

Searching the exploit in metasploit I found that the exploit is readily available.

I modified a few parameters in the exploit as below:

The run the exploit and escalated to root.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s