TryHackMe: AttackerKB

Today we will take a look at TryHackMe: AttackerKB. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Question: Scan the machine with Nmap. What non-standard service can be found running on the high-port?

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.230.26

Answer: W*****

Question: Further enumerate this service, what version of it is running?

Answer: 1****

Question: Visit the webpage generated by this service. You should encounter an error due to SSL being present. Change the URL to use HTTPS and ignore the exception. After this, view the certificate. What hostname can we find on the cert details? On Firefox, you can view this by clicking on the 'i' in the URL, then the '>' in Connection, 'More Information', and then 'View Certificate' on the Security tab.

Answer: s*****

Question: Take a look through the Assessments for this vulnerability. As an attacker, we can use the information posted here by other members to determine how value an exploit might be and any tweaks we might have to make to exploit code. Similarly, as a defender we can leverage these comments to gain additional situational information for vulnerabilities, allowing us to gauge how quickly we need to patch them. Which version of Webmin is immediately vulnerable to this exploit?

Answer: 1****

Question:What type of attack was this? Note, we're looking for how this was added to the code for Webmin, not how this results in remote code execution (RCE).

Answer: S***** C****

Question: Can you find a link to a post on the webmin’s website explaining what happened? What day was Webmin informed of an 0day exploit?

Webmin

Answer: A***** 1*** 2****

Question: Last but certainly not least, let's find the link to our exploit. We can see in the Assessments that a Metasploit module was added for this backdoor. What pull number was this added in?

Add Webmin password_change.cgi backdoor exploit by wvu · Pull Request #12219 ·…

Answer: 1****

Question: Now that we've selected our exploit, set the options provided appropriately. Beyond RHOSTS and LHOST, what is the third option we must set to 'True'?

Command: unix/webapp/webmin_backdoor

Answer: S**

Question: Run the exploit. What is the user flag?

Question: How about the root flag?

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

Elman Alizadeh - Azerbaijan Architecture and Construction University - Baku, Baku, Azerbaijan |…