# Source ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCYhZgCjIA2pTxTGj%2F-McRCiE5JA2L-1r1DrDY%2Fimage.png?alt=media\&token=608fde51-a09e-4bc1-a0bf-3d2314cf511a) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.184.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCkTiODAi35Ox2fky%2F-McRDyfpv0s4VOWp64BT%2Fimage.png?alt=media\&token=c0874bcb-b0c3-4506-9f7f-d05d9b33218e) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,10000 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,10000 -oN nmap 10.10.184.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCkTiODAi35Ox2fky%2F-McRE9U3Yy2ctO82z9Ah%2Fimage.png?alt=media\&token=faaaed83-5ed7-495f-a5f9-f1c0ba3c484e) ## Enumeration Lets visit the site on port 10000 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCkTiODAi35Ox2fky%2F-McREZza9Fg88URLlEr-%2Fimage.png?alt=media\&token=151fe4e6-2fd5-4030-8d4d-8009b9cc74fd) Looks like we should go to `https//`, lets do that ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCkTiODAi35Ox2fky%2F-McRFC-hsNbo5iulPK6e%2Fimage.png?alt=media\&token=9e468bbe-6ffe-43ba-bf15-905e15680b9e) Lets go to Advanced and hit Accept Risk and Continue ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRCkTiODAi35Ox2fky%2F-McRFJCuWAhbqx3fuuw7%2Fimage.png?alt=media\&token=b185329f-c62e-4e70-a78f-1b1b9e6ab15d) We have a login page. We do not have credentials so lets go to searchsploit and look for exploits on the application and the specific version we see in the nmap scan. I searched for it on searchsploit and got nothing back ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRGLYIzkeEc_a9pHTs%2F-McRH6RVT6rZpLIuF8S8%2Fimage.png?alt=media\&token=28a504cb-c856-45d7-bb07-a4278f7a7e11) So I went to Google and looked for exploit and found [this](https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py). Its a python script , lets copy it to our machine and call is `exploit.py` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRGLYIzkeEc_a9pHTs%2F-McRIBS-pJiVTdKfU_Hr%2Fimage.png?alt=media\&token=2e0ab2e1-f2ae-4135-a7df-57f23d145fa1) They show how to use it as well, so lets go ahead and use it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRGLYIzkeEc_a9pHTs%2F-McRILcUl0xIVJKC3FGH%2Fimage.png?alt=media\&token=14558b54-f282-4e06-be12-6245792082e7) In the end they give us the option of sending a command, we sent id and it worked, lets read the user flag and the root flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McRGLYIzkeEc_a9pHTs%2F-McRIuMblQc_6vjpF8Kr%2Fimage.png?alt=media\&token=a64ad1e2-21f7-47a8-ac4b-52a635f319b4) We have both the flags.