It has been a bit since I’ve work some red team tasks so decided to jump in and knock out this CTF.

Our first goal is to enumerate the box and root it. We are looking for a user.txt and root.txt file.

Enumerating means we are going right to nmap to do some scanning

We have 22 (ssh) and 10000 (http) open.

There is clearly something juicy at 10000 as http typically uses port 80, so lets navigate there

We are then redirected to a webadmin sign in page.

Doing some searching, we come across an RCE exploit on exploit-db relating to that service

We also have a an exploit at AttackerKB (hosted by rapid7) with a bit more information

This was a supply chain attack: The backdoor was introduced in a version that was “exploitable” in the default install. Version 1.890 is the money. Anything after requires a non-default setting.

The attacker KB link has a metasploit module so we are going to launch MSF

Using the module http:/webmin_backdoor, We can see our options

From here we set our Remote host and local host and attempt to exploit

Looks like we need to use an SSL cert for this to run from here

and we have our shell!

Searching the device, we locate the user.txt flag in the /home/dark directory

And our root flag!