From nmap, there are ssh and http service at both 80 and 10000 ports.

Local Picture

This is the web page at port 80.

Local Picture

This is the web page at port 10000, which is running Webmin.

Local Picture

Scan with nmap to port 65535, we found redis service at port 6379.

Local Picture

There are some hacking tricks with redis, I tried this one to see if I can create a ssh key pair with redis to login.

Local Picture

I successfully login as redis, but cannot get user.txt under Matt directory.

Local Picture

Luckily, there is a id_rsa.bak in /opt/.

Local Picture

Since there is a passphrase, I use john the ripper to get the passphrase computer2008. However, when I tried to login, it quickly ends the connection.

Local Picture

From sshd_config, it shows that Matt is not allowed to login from ssh. We can just switch user from redis.

Local Picture

To do privilege escalation, I first login to Webmin as Matt.

Local Picture

And there is an exploit in msf module exploit/linux/http/webmin_packageup_rce. It will send malicious payload to update.cgi.

Local Picture

Local Picture

Local Picture

And we can get the reverse shell as root.

Local Picture