Postman

This is my first machine and I’m stuck getting the initial foothold. I guess I’m on the right path but can’t get through it after a number of attempts. I’m still getting Permission Denied error and hence unable to go further.

May someone, please give me a push? Thanks!

Type your comment> @sh00b0mb said:

This is my first machine and I’m stuck getting the initial foothold. I guess I’m on the right path but can’t get through it after a number of attempts. I’m still getting Permission Denied error and hence unable to go further.

May someone, please give me a push? Thanks!

Got the User as well as the Root.

Special Shoutout to @eviltor13 and @luckyUser for showing the right direction.

PM me if you need a push!

My First machine, definitely feels good :smile: Thanks hack the box and @TheCyberGeek

ROOTED, Thanks for the hints.
PM me if you need nudges.

After a good amount of learning, I managed to root it

small tip for some of the later steps, take notice that the server is running in SSL mode; adjust your tools or techniques accordingly. Lesson learned, overlooking something seemingly small will cost you some time.

Stuck on the M********t wn re using M creds.
I have flipped the flag needed, but am receiving the following message:
“Exploit completed, but no session was created.”

I have a feeling I overlooked something, or did not flip everything I needed to. Any pointers would be much appreciated!

ahh, nvm

Hello guys,
I’ve already rooted postman. However I’ve only exploit W*****n and I got a reverse shell with root priv with that exploit.
I wonder know what are the other methods.
Thank you!

Rooted. Hints:

Initial Foothold: Download the service in question and see where it’s typical home directory is. Then update the exploit script accordingly.
User: Search around for a useful file. What…it’s not working? Check the config to see why. Then remember that users are lazy and can’t be bothered to remember multiple passwords
Root: Take a look at that service that you thought would be useful when you first scanned, but didn’t have the right equipment to exploit it at the time. Maybe you have the right equipment now that you’ve gotten user…

i got user flag friends…but 10.10.10.160:10000 not loading
shows error message “ssl enabled visit https://postman:10000/ instead”
but the page is also not responding
so that I cant login using creds!!!
anyone have any idea…
please help me…thanks

@manasramesh said:

i got user flag friends…but 10.10.10.160:10000 not loading
shows error message “ssl enabled visit https://postman:10000/ instead”
but the page is also not responding
so that I cant login using creds!!!
anyone have any idea…
please help me…thanks

Add the hostname to your hosts file :wink:

Finally I’m done my very first box after learning a lot
Thank you for everyone who gave me a hints

hi everyone,
This is my third box but I try all exploit for the 3 ports ( 22,80,10000) but nothing.
do I have to use brute force ? I don’t think…

Type your comment> @TazWake said:

@Zwm8e said:

could someone pm me a hint for initial access? i’ve found r***s but can’t seem to do anything with it. i just get permission denied changing directory

Postman - #978 by TazWake - Machines - Hack The Box :: Forums

This still doesn’t work. I have the book, tried it step by step, tried the packetstormsecurity method too, and still having the permissions error

Literally no guide on the R***s exploit is working no matter if I try and bypass the permissions error. No idea what’s going on.

Please PM if you can assist me, I can show you what I have done already

@Fratouth, you need to do some more port enumeration.

Ok… took me like ages to figure out that the s** folder in the initial r***s part is just totally not where I would have expected it. :wink:

So I’ve been trying to get an initial foothold and have been trying every script that I have found on github.

I can’t seem to get a connection back to my listener.

Almost certain I am overlooking something, would appreciate a nudge in the right direction.

@Fratouth said:
hi everyone,
This is my third box but I try all exploit for the 3 ports ( 22,80,10000) but nothing.
do I have to use brute force ? I don’t think…

You’re missing something.

Scan EVERYTHING.

Just rooted… Had to follow some steps that i would not think by myself for redis-cli because i couldn’t use the exploit properly (i believe i missed something)… If anyone used the exploit get the first acess can you pm me your walkthrough? Thanks

Type your comment> @Celli said:

Just rooted… Had to follow some steps that i would not think by myself for redis-cli because i couldn’t use the exploit properly (i believe i missed something)… If anyone used the exploit get the first acess can you pm me your walkthrough? Thanks

So I was exactly the same. I was following the Cookbook, the Medium blog post, Packetstorm, etc. Then I gave up, went to eat and try another box and shut everything down. I then followed the path that I was using before, but instead just asked for the directory, set it, saved, quit then used s** to get in.

I honestly believe there was something wrong with the box for the past few hours as I was doing the same technique for hours upon end with no joy

Edit* I was stuck on the automated exploit - just make sure you are paying attention to case…uhhhh