# Source

![](/files/-McRCiE5JA2L-1r1DrDY)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.184.138
```

![](/files/-McRDyfpv0s4VOWp64BT)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,10000
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,10000 -oN nmap 10.10.184.138
```

![](/files/-McRE9U3Yy2ctO82z9Ah)

## Enumeration

Lets visit the site on port 10000

![](/files/-McREZza9Fg88URLlEr-)

Looks like we should go to `https//<ip>`, lets do that

![](/files/-McRFC-hsNbo5iulPK6e)

Lets go to Advanced and hit Accept Risk and Continue

![](/files/-McRFJCuWAhbqx3fuuw7)

We have a login page. We do not have credentials so lets go to searchsploit and look for exploits on the application and the specific version we see in the nmap scan. I searched for it on searchsploit and got nothing back

![](/files/-McRH6RVT6rZpLIuF8S8)

So I went to Google and looked for exploit and found [this](https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py). Its a python script , lets copy it to our machine and call is `exploit.py`

![](/files/-McRIBS-pJiVTdKfU_Hr)

They show how to use it as well, so lets go ahead and use it.

![](/files/-McRILcUl0xIVJKC3FGH)

In the end they give us the option of sending a command, we sent id and it worked, lets read the user flag and the root flag.

![](/files/-McRIuMblQc_6vjpF8Kr)

We have both the flags.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/source.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.