Try Hack Me: Source Room

The skills to be tested and needed to solve this room are: ctf and CVE.

Shout-out to @DarkStar7471 for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

My assigned IP address was 10.10.40.23

Finding the user and root flags are the the requirements to complete this room:

user.txt
- THM{S*********************E}
root.txt
- THM{U*****************L}

Steps:

Deploy the machine:

2. Scan the machine using nmap. nmap -sC -sV 10.10.40.23

-sC – to scan using the default nmap scripts

-sV – to pull version information of open ports found during the scan

We cannot exploit SSH service yet because we don’t have any clue for a username to try and brute-force our way in. The obvious next step is to check the http service in port 10000

Let’s try the provided url if there is anything interesting

How about the page source for the main page?

The message on the webpage mentioned about the webserver is running on SSL mode. Let’s try and revisit the site this time using https

Next is to try some default logins like admin:admin, admin:password, root:root, root:password

Since default credentials didn’t work, we will now look for known vulnerabilities and exploits that we can use against the webserver. First method is to use searchsploit on your Kali terminal. searchsploit webmin

There are many known exploits for Webmin, but we are not sure which one to use. The Unauthenticated RCE through Metasploit is the easiest I can see from the list.

Looking back at the nmap scan result, it says that the webserver in use is Miniserv 1.890. Let’s try if we can find a match in Metasploit. Open Metasploit by typing msfconsole

Let’s search for an exploit for Miniserv 1.890

Sure enough, there is an exploit for the webserver’s specific version. This will make things so much easier for us

To use the exploit, type use exploit/linux/http/webmin_backdoor or to save you some time, instead of typing the entire path, you can reference the number on the first column under “#” and type use 0

Shortcut to use an exploit, auxiliary or payload in Metasploit

Now, type show options to see what settings are required to be setup so we can run the exploit correctly. The highlighted options are the ones we need to set

RHOSTS – This is your victim’s IP address. 10.10.40.23
RPORT – This is your victim’s port number in used. 10000
SRVHOST – This is your attacker’s computer IP address. Mine is 10.2.*.* (Some of you might be thinking “why did he masked his private IP?”, because THM users are in the same subnet when VPNd, and I don’t want other people scanning me, hahaha)
SSL – It is currently on “false” we have to turn it on because our victim is using the HTTPS protocol
LHOST – This is again your own IP address (when using your own IP address, pay attention to your VPN’s network adapter, usually tun0 and not the usual eth0

Now that all is set, we can run the exploit by typing either of the two: run or exploit

Let’s check who we are on the victim’s machine and what are our permissions by typing whoami

That was easy and painless. We are ROOT!

We can start searching for the flags, but we would like to establish a stable shell. We can do this by first checking if python is running on the victim’s machine by typing which python