AttackerKB - Write-up - TryHackMe

Sunday 13 December 2020 (2020-12-13)

Thursday 17 December 2020 (2020-12-17)

noraj (Alexandre ZANNI)

thm, web, writeups

🇬🇧

Information

Room#

Name: AttackerKB
Profile: tryhackme.com
Difficulty: Easy
Description: Learn how to leverage AttackerKB and learn about exploits in your workflow!

AttackerKB

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1	$ sudo pacman -S nmap metasploit

Discovering the Lay of the Land#

Scan the machine with Nmap. What non-standard service can be found running on the high-port?

Answer: Webmin

Service scan:

# Nmap 7.91 scan initiated Sun Dec 13 16:52:48 2020 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.66.46
Nmap scan report for 10.10.66.46
Host is up (0.084s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 8CAD5C8231FA686498FC3B47B6AA7582
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 13 16:55:36 2020 -- 1 IP address (1 host up) scanned in 167.41 seconds

Further enumerate this service, what version of it is running?

Answer: 1.890

From the previous Nmap scan.

Visit the webpage generated by this service. You should encounter an error due to SSL being present. Change the URL to use HTTPS and ignore the exception. After this, view the certificate. What hostname can we find on the cert details? On Firefox, you can view this by clicking on the 'i' in the URL, then the '>' in Connection, 'More Information', and then 'View Certificate' on the Security tab.

Answer: source

View the certificate.

Learning to Fly#

Take a look through the Assessments for this vulnerability. As an attacker, we can use the information posted here by other members to determine how value an exploit might be and any tweaks we might have to make to exploit code. Similarly, as a defender we can leverage these comments to gain additional situational information for vulnerabilities, allowing us to gauge how quickly we need to patch them. Which version of Webmin is immediately vulnerable to this exploit?

Answer: 1.890

https://attackerkb.com/topics/hxx3zmiCkR/webmin-password-change-cgi-command-injection?referrer=search

Using the search form.

What type of attack was this? Note, we're looking for how this was added to the code for Webmin, not how this results in remote code execution (RCE).

Answer: supply chain

Read the page.

Can you find a link to a post on the webmin's website explaining what happened? What day was Webmin informed of an 0day exploit?

Answer: August 17th 2019

Read the page: https://www.webmin.com/exploit.html

Last but certainly not least, let's find the link to our exploit. We can see in the Assessments that a Metasploit module was added for this backdoor. What pull number was this added in?

Answer: 12219

The PR is linked: https://github.com/rapid7/metasploit-framework/pull/12219

Blasting Away#

Now that we've selected our exploit, set the options provided appropriately. Beyond RHOSTS and LHOST, what is the third option we must set to 'True'?

Answer: SSL

The application is using HTTPS.

Run the exploit. What is the user flag?

Answer: THM{SUPPLY_CHAIN_COMPROMISE}

Exploit & loot:

1	$ cat /home/dark/user.txt

How about the root flag?

Answer: THM{UPDATE_YOUR_INSTALL}

Exploit & loot:

1	$ cat /root/root.txt