Source

Source

Room link: https://tryhackme.com/room/source

Initial Access

As always, I ran an aggressive NMAP scan to start.

ajread@aj-ubuntu:~/TryHackMe$ nmap -A [REMOTE IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-25 21:07 EDT
Nmap scan report for [REMOTE IP]
Host is up (0.084s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.31 seconds

Alongside the aggressive NMAP scan, I wanted to see if there were any high ports.

I first looked at the webserver on port 10000. It appeared to be vulnerable to an RCE exploit that appears to impact the /password_change.cgi portion of the server. I found a POC on github (https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py) and used it to execute code.

I did some looking around running various commands and found a user named dark with the flag in their home directory.

Privilege Escalation

Since I was already running as root, I could also read the root flag.

PreviousSkynetNextSurfer

Last updated