Postman

Rooted my first machine on HTB. Thanks to @Tupi for guiding. It was great learning and understanding of the tools like:

  • J***
  • R****
  • M*********

Feel free to reach out encase needed help.

Lessons learned:

  • Try every option available
  • Try again if not successful at first
  • Reset the parameters
  • Note down the steps

So I’ve logged in as M*** but I don’t understand how it works. The password you discover for M*** by cracking the file is simply a passphrase for a SSH key pair. I basically used the switch user command and used that passphrase and that works but that does not make sense and it assumes the passphrase to generate the SSH key pair is the same as the user login. Okay, fair enough… However…

When I login as M*** through switch user, I look at the ssh keys for M***. I see another private key there which I copy to my kali machine and generate the public key from that public key. Now, surely I can now login to Postman as M*** through SSH using the key pair I have generated? For example ssh -i id_rsa_m*** M***@10.10.10.160.

This does not work. The only way I can login as M*** is by switching user using the passphrase I cracked earlier which does not really make sense anyway because the passphrase on a ssh key pair is not necessarily the same as a linux logon. My main question is: why can I not login as M*** using the SSH keys I have discovered directly?

Finally User and Root. Thanks @TheCyberGeek i learned a lot because this is my second machine.

Hints for initial shell: Read documentation and understand what command of r***s-cli can say the path you are finding. After that, yo can modify the exploit and enter.

Hints for User: remember how you can see what did the owner of this machine. This is a great history.

Hints for Root: You have four open ports… Maybe you can access now.

Type your comment> @hellsheep said:

So I’ve logged in as M*** but I don’t understand how it works. The password you discover for M*** by cracking the file is simply a passphrase for a SSH key pair. I basically used the switch user command and used that passphrase and that works but that does not make sense and it assumes the passphrase to generate the SSH key pair is the same as the user login. Okay, fair enough… However…

When I login as M*** through switch user, I look at the ssh keys for M***. I see another private key there which I copy to my kali machine and generate the public key from that public key. Now, surely I can now login to Postman as M*** through SSH using the key pair I have generated? For example ssh -i id_rsa_m*** M***@10.10.10.160.

This does not work. The only way I can login as M*** is by switching user using the passphrase I cracked earlier which does not really make sense anyway because the passphrase on a ssh key pair is not necessarily the same as a linux logon. My main question is: why can I not login as M*** using the SSH keys I have discovered directly?

As far as I know, user ‘M’ does not have direct SSH access to the server. You don’t need it to get the root flag, anyway. Just enter the first account you get the foothold on and switch to ‘M’ via the ‘su’ command like you’ve been doing.

Rooted. And my first root/user at that!

@luckyUser thanks for the explanation. What I don’t understand is that for ‘M’ there exists an “authorized keys” folder with a key pair. This key pair is different from the one we find as “R”. People keep messing with the “R” service and I was tired of needing to go through that process every time so I decided to exfiltrate these keys, thinking that I could then login directly as “M” using SSH. No dice. Can anyone verify that this is the case or am I making some mistake?

I’ve already rooted, I am just looking to improve my understanding.

Wow, Postman had me stumped! I could not figure out some small details (which have been discussed in this thread enough, I guess), so it took me ages to get the initial foothold. Once I got that, the rest was feeling somewhat…too easy, I guess.

I still have no idea how to get the user flag, as I went straight from initial to root.

If anyone wants to show me how they did it, please tell me in a PM, I’m curious. I’ll send you the point where I got stuck if you want. I think there’s something in there I can learn!

Initial: Learned a lot about a thing that I have used only once before, that was new, thanks!
User: Still no clue!
Root: Quite easy after you figure out that someone was a bit careless about conserving…

Thanks to @TheCyberGeek for making this box. Despite the frustration I felt, I learned something and that’s why I’m here :slight_smile:

Fun little box, thanks @TheCyberGeek! This was only my second (active) box and I was somewhat surprised to see that I could immediately reuse some of the things I learnt on OpenAdmin :slight_smile:
Shoutout to @5H3LLKiller and @mohabaks for helping me get over that john “hurdle” I completely brainfarted on … :sweat_smile:
Does anyone know whether there’s a way to root without m********t?

@hellsheep, take a look at the sshd_conf file and I believe you will know why you can’t SSH in at M***

I found the r**** tut on packetstorm, but the article assumes I know the username of the account in which to drop my key. How do I find that out? I already get a permission denied trying to change to the /home directory.

Im not sure what i did wrong with nmap but i was not able to find r***s-cli but im all good now.

Hello everyone
i am stuck
i put the key from ***.bk to ssh2john and then put jtr to work using rockyou wordlist
no password found
need a hint
tnx

I’m running the scanner to find usernames…it says found after everyone. R**** Login. I can’t get the initial foothold.

Rooted. Time to get foothold was apparently not well spent. PM for a nudge.
Thanks @TheCyberGeek !

I’m new to this. I entered using r****-c** and another usual tool but I’m lost when I try to change users. Can you PM for a hint?

Rooted :slight_smile: An easy machine for the ones that’ve done enough linux machines. Learned new things too !!
PM if anyone needs some help.

Hi!

System owned! Fun box!

Is the r**** service down for anyone else? I’m noticing I’m unable to do a full nmap scan on the box and when i try to use the r****-c** tool to connect to that service, it just hangs. I reset the box, but still seeing the same behavior.

System owned…

Thanks to who pm me with hints

good luck

Hi Forum, I’m facing a very weird issue…I am unable to access the port 10000 via the webrowser

When i try to access it via HTTP, i get a redirect URL to the https link. However, on clicking that link, i get an error saying “We can’t connect to the server at postman”. Has anyone else faced this issue too? Any help here would be great!

Cheers!