THM Writeup: Source
I did a nmap scan against the target and uncovered these open ports.
22/tcp open ssh OpenSSH 7.6p1
10000/tcp open http MiniServ 1.890 (Webmin)
Now to the enumeration stage. I decided to go with the port 10000. If you do a search on Metasploit about MiniServ 1.890. There would be an interesting exploit that will show up.
Ok looks nice now we can use this exploit. To get some information about the exploit you can use the info cammand on metasploit.
Looks like there is a backdoor embedded to the Webmin 1.890 and 1.900 by an unknown attacker. But the backdoor which is present on version 1.890 which our target is running is exploitable which is nice.
Here are the options for the exploit
RHOSTS : Target IP RPORT : 10000 (The Default value) LHOST : Attacker IP LHOST : Listner PORT on the attacker machine SRVHOST : Attacker IP SRVPORT : Port value of the LPORT variable SSL : true
Now type exploit, wait a sec for the exploit execution to occur, and boom you now got an active root shell. Now let’s upgrade this shell because all we now have is a blank interface to enter commands.
Since your shell operating as the root user you can view the two flags (user and the root flag):
/home/dark/user.txt (User Flag)
/root/root.txt (Root Flag)
If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.