The skills to be tested and needed to solve this room are: ctf and CVE.
Shout-out to @DarkStar7471 for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.
I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.
My assigned IP address was 10.10.40.23
Finding the user and root flags are the the requirements to complete this room:
- Deploy the machine:
2. Scan the machine using nmap. nmap -sC -sV 10.10.40.23
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- We cannot exploit SSH service yet because we don’t have any clue for a username to try and brute-force our way in. The obvious next step is to check the http service in port 10000
- Let’s try the provided url if there is anything interesting
- How about the page source for the main page?
- The message on the webpage mentioned about the webserver is running on SSL mode. Let’s try and revisit the site this time using https
- Next is to try some default logins like admin:admin, admin:password, root:root, root:password
- Since default credentials didn’t work, we will now look for known vulnerabilities and exploits that we can use against the webserver. First method is to use searchsploit on your Kali terminal. searchsploit webmin
- Looking back at the nmap scan result, it says that the webserver in use is Miniserv 1.890. Let’s try if we can find a match in Metasploit. Open Metasploit by typing msfconsole
- Let’s search for an exploit for Miniserv 1.890
- To use the exploit, type use exploit/linux/http/webmin_backdoor or to save you some time, instead of typing the entire path, you can reference the number on the first column under “#” and type use 0
- Now, type show options to see what settings are required to be setup so we can run the exploit correctly. The highlighted options are the ones we need to set
- RHOSTS – This is your victim’s IP address. 10.10.40.23
- RPORT – This is your victim’s port number in used. 10000
- SRVHOST – This is your attacker’s computer IP address. Mine is 10.2.*.* (Some of you might be thinking “why did he masked his private IP?”, because THM users are in the same subnet when VPNd, and I don’t want other people scanning me, hahaha)
- SSL – It is currently on “false” we have to turn it on because our victim is using the HTTPS protocol
- LHOST – This is again your own IP address (when using your own IP address, pay attention to your VPN’s network adapter, usually tun0 and not the usual eth0
- Now that all is set, we can run the exploit by typing either of the two: run or exploit
- Let’s check who we are on the victim’s machine and what are our permissions by typing whoami
- We can start searching for the flags, but we would like to establish a stable shell. We can do this by first checking if python is running on the victim’s machine by typing which python
- To spawn a stable shell type python -c ‘import pyt;pty.spawn(“/bin/bash”)’
- user flag
- root flag
I hope you learned something and enjoyed following the steps to complete this room.
Let’s hack together!