- Name: AttackerKB
- Profile: tryhackme.com
- Difficulty: Easy
- Description: Learn how to leverage AttackerKB and learn about exploits in your workflow!
Install tools used in this WU on BlackArch Linux:
$ sudo pacman -S nmap metasploit
Discovering the Lay of the Land#
Scan the machine with Nmap. What non-standard service can be found running on the high-port?
# Nmap 7.91 scan initiated Sun Dec 13 16:52:48 2020 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.66.46
Further enumerate this service, what version of it is running?
From the previous Nmap scan.
Visit the webpage generated by this service. You should encounter an error due to SSL being present. Change the URL to use HTTPS and ignore the exception. After this, view the certificate. What hostname can we find on the cert details? On Firefox, you can view this by clicking on the 'i' in the URL, then the '>' in Connection, 'More Information', and then 'View Certificate' on the Security tab.
View teh certificate.
Learning to Fly#
Take a look through the Assessments for this vulnerability. As an attacker, we can use the information posted here by other members to determine how value an exploit might be and any tweaks we might have to make to exploit code. Similarly, as a defender we can leverage these comments to gain additional situational information for vulnerabilities, allowing us to gauge how quickly we need to patch them. Which version of Webmin is immediately vulnerable to this exploit?
Using the search form.
What type of attack was this? Note, we're looking for how this was added to the code for Webmin, not how this results in remote code execution (RCE).
Answer: supply chain
Read the page.
Can you find a link to a post on the webmin's website explaining what happened? What day was Webmin informed of an 0day exploit?
Answer: August 17th 2019
Read the page: https://www.webmin.com/exploit.html
Last but certainly not least, let's find the link to our exploit. We can see in the Assessments that a Metasploit module was added for this backdoor. What pull number was this added in?
The PR is linked: https://github.com/rapid7/metasploit-framework/pull/12219
Now that we've selected our exploit, set the options provided appropriately. Beyond RHOSTS and LHOST, what is the third option we must set to 'True'?
The application is using HTTPS.
Run the exploit. What is the user flag?
Exploit & loot:
$ cat /home/dark/user.txt
How about the root flag?
Exploit & loot:
$ cat /root/root.txt