This is May. It’s Medium rated.
SSH, HTTP and Webmin on Port 10000.
http-title: Did not follow redirect to http://may.hmv
So I add that to /etc/hosts. I visit the homepage and get this:
admin: Web is under construction. Use Intranet.
marie: Where are now the keys?
alice: Yes, where are?
So we have three usernames, plus a suggestion of subdomains. Good enough for me:
At both ssh.may.hmv and portal.may.hmv we get simple login forms, and all the fuzzing in the world doesn’t find anything else. I try bruteforcing with my usernames, and eventually:
prompts this response:
This was using Burp Turbo Intruder and /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
Now if we try using our cookie at the other subdomain?
We get this:
Interesting, but not immediately useful. I run linpeas and find this:
Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
Hmmm, I’m pretty sure we shouldn’t have access to that. Documentation is sparse, but in the end I create a file:
This uses the password 123. That’s the kinda thing an idiot would have on his luggage!
We edit /etc/webmin/miniserv.conf as shown above, and use our sudo powers to reboot the server:
sudo -u root /usr/sbin/reboot
Once it reboots, we can login at https://may.hmv:10000 with root:123 and we have access to a root terminal:
Bit of fun this one.