HackTheBox - Postman

01:00 - Begin of nnmap scan 01:45 - Checking out the website, trying to identify what technology runs the site 03:20 - Nmap scan finished, start more recon (GoBuster and full nmap port scan) 07:00 - Trying to find out when the website was stood up with exiftool 09:00 - Full nmap showed the REDIS port, initial poking 10:55 - Searching the internet for things you can do with a REDIS Server 14:50 - Dropping a webshell didn't work, lets try dropping an SSH Key 16:30 - Discovering the location of a .ssh directory by guessing the default (/var/lib/redis/.ssh) 19:30 - Got a shell on the box! 22:00 - Running LinPEAS 29:45 - Running LinEnum twice (once with throrough mode enabled). To make sure we have good recon. 33:10 - Discovering Matt logged in at a time we did not previously have 36:07 - Discovering an encrypted SSH key, cracking the SSH Key with John 40:00 - SSH failing to work, decide to just use "su" to switch to the Matt User 42:00 - Discovering we can login to WebMin with Matt 42:48 - Running searchsploit, then using Metasploit to exploit Webmin 45:30 - Root shell returned, set Metasploit to go through burp and play with it until we get the exploit working.