Try Hack Me: Source Room

The skills to be tested and needed to solve this room are: ctf and CVE.

Shout-out to @DarkStar7471 for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

My assigned IP address was 10.10.40.23

Finding the user and root flags are the the requirements to complete this room:

  • user.txt
    • THM{S*********************E}
  • root.txt
    • THM{U*****************L}

Steps:

  1. Deploy the machine:

2. Scan the machine using nmap. nmap -sC -sV 10.10.40.23

  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
Only two ports are open: 22 and 10000
  • We cannot exploit SSH service yet because we don’t have any clue for a username to try and brute-force our way in. The obvious next step is to check the http service in port 10000
  • Let’s try the provided url if there is anything interesting
  • How about the page source for the main page?
Still nothing juicy in here
  • The message on the webpage mentioned about the webserver is running on SSL mode. Let’s try and revisit the site this time using https
Webmin login page
  • Next is to try some default logins like admin:admin, admin:password, root:root, root:password
No luck
  • Since default credentials didn’t work, we will now look for known vulnerabilities and exploits that we can use against the webserver. First method is to use searchsploit on your Kali terminal. searchsploit webmin
There are many known exploits for Webmin, but we are not sure which one to use. The Unauthenticated RCE through Metasploit is the easiest I can see from the list.
  • Looking back at the nmap scan result, it says that the webserver in use is Miniserv 1.890. Let’s try if we can find a match in Metasploit. Open Metasploit by typing msfconsole
We are in Metasploit console
  • Let’s search for an exploit for Miniserv 1.890
Sure enough, there is an exploit for the webserver’s specific version. This will make things so much easier for us
  • To use the exploit, type use exploit/linux/http/webmin_backdoor or to save you some time, instead of typing the entire path, you can reference the number on the first column under “#” and type use 0
Shortcut to use an exploit, auxiliary or payload in Metasploit
  • Now, type show options to see what settings are required to be setup so we can run the exploit correctly. The highlighted options are the ones we need to set
  • RHOSTS – This is your victim’s IP address. 10.10.40.23
  • RPORT – This is your victim’s port number in used. 10000
  • SRVHOST – This is your attacker’s computer IP address. Mine is 10.2.*.* (Some of you might be thinking “why did he masked his private IP?”, because THM users are in the same subnet when VPNd, and I don’t want other people scanning me, hahaha)
  • SSL – It is currently on “false” we have to turn it on because our victim is using the HTTPS protocol
  • LHOST – This is again your own IP address (when using your own IP address, pay attention to your VPN’s network adapter, usually tun0 and not the usual eth0
All required settings are set
  • Now that all is set, we can run the exploit by typing either of the two: run or exploit
We have a connection, we have a shell
  • Let’s check who we are on the victim’s machine and what are our permissions by typing whoami
That was easy and painless. We are ROOT!
  • We can start searching for the flags, but we would like to establish a stable shell. We can do this by first checking if python is running on the victim’s machine by typing which python
Python is on the machine
  • To spawn a stable shell type python -c ‘import pyt;pty.spawn(“/bin/bash”)’
Now, we have a stable shell session
  • user flag
  • root flag

SUCCESS!!!!!!

I hope you learned something and enjoyed following the steps to complete this room.

Let’s hack together!

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

2 Comments

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: