This is my write-up for TryHackMe’s Source Room. This is rated as Easy. Let’s see why.
Using nmap, I saw that this box is running SSH and Webmin.
Checking port 10000 on the browser, I found the Webmin login page:
I saw that Metasploit already had a number of available exploits for Webmin.
Given that the “Webmin password_change.cgi Backdoor” exploit module was the latest, I then checked if it was a viable candidate to use.
Given that the login credentials were not needed for this exploit to run, I decided to give it a try.
Turns out Webmin was already running as root. So upon exploitation, I already had root privileges!
Given that I already had root privs, I can easily get the keys.