漏洞平台

POC详情： 17df7618d92a3b0285ced4dafd6c9812857feb45

来源

https://github.com/Rayferrufino/Make-and-Break

关联漏洞

标题： Webmin 命令操作系统命令注入漏洞 (CVE-2019-15107)
描述：Webmin是一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.920及之前版本中的password_change.cgi存在命令操作系统命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。

描述

Built a custom Virtual Machine, running Ubuntu 18.04.1 and Webmin 1.810. Using CVE-2019-15107 to exploit a backdoor in the Linux machine

介绍

# Make-and-Break

## Create and exploit a vulnerable Virtual Machine

### Description: Built a custom Virtual Machine, running Ubuntu 18.04.1 and Webmin 1.810. Using CVE-2019-15107 to exploit a backdoor in the Linux System Administration Interface

|PROOF of CONCEPT|
|----------------|
|Linux OS (Ubuntu 18.04.1) will be deployed containing security flaws that will allow an attacker to compromise the system to root level.|

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2010-33-32.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2010-28-25.png?raw=true)

### Installing SSH server
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2014-10-14.png?raw=true)

### Install Webmin 1.890
- **Create a username (deathstart) and password (readytograduate) serving on port 10000 by default**
- **Download webmin-1.890.tar.gz from https://sourceforge.net/projects/webadmin/files/webmin/**
- **Extracting the file and running the following commands within the extracted Webmin folder**
- **<sudo ./setup.sh /usr/local/webmin>**
- **Enter password for user deathstart when prompted**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2010-29-05.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2010-29-16.png?raw=true)
![](https://www.hostwinds.com/guide//wp-content/uploads/2017/03/IMG_Usermin_Login_Page.png)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2010-29-46.png?raw=true)

### Kali 
- **Recon steps: Kali VM and Ubuntu VM are on the same subnet**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/wte.png?raw=true)

- **In Kali do an nmap scan for the Ubuntu machine, check for open ports and services**
- **Notice that port 10000 is open (a web server) and port 22. We will try to exploit port 10000, an http web server (miniServ 1.890) by using a known flaw, which let us connect remotely to it**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-19%2015-09-27.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-19%2015-19-07.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-19%2015-19-39.png?raw=true)

- **We use exploit 2019-15107 Unauthenticated Remote Code Execution in Metasploit to get root access.**
- **Open msfconsole on Kali, search for webmin, and use exploit unix/webapp/webmin_backdoor**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2013-05-14.png?raw=true)

- **Set options accordingly - RHOST, LHOST**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2013-05-29.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2013-05-43.png?raw=true)


- **Run the exploit and get a shell**
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2013-06-04.png?raw=true)


- **We tried to spawn our shell but we were unsuccessful. In addition we can't change directories even though we are "root" but fortunately we can cat files and list directories including the /etc/shadow! file that contains the hashed passwords**

- **We copied the content of the shadow file and passwd file into a shadows.txt and passwd.txt file and we procced to crack the hash using John the Ripper**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-35-09.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-37-50.png?raw=true)


- **Type unshadow passwd.txt shadow.txt > password.txt  in order to combine both files and use John**
- **We already created our own password list (fullstack.txt) with common passwords, which we will use with John in order to obtain the password**
- **Type john --wordlist=fullstack.txt password.txt in order to crack and reveal the password**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-40-27.png?raw=true)

- **Cracking successful, password for *deathstart* is *readytograduate* SSH to this user ssh deathstart@192,168.44.132 and type the password readytograduate when prompted**

![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-38-42.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-39-04.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-39-20.png?raw=true)
![](https://github.com/Rayferrufino/Make-and-Break/blob/master/Screenshots/Screenshot%20from%202019-09-17%2016-39-44.png?raw=true)

## At this point we have fully compromised the machine and gained control of the system.

文件快照


 [4.0K]  /data/pocs/17df7618d92a3b0285ced4dafd6c9812857feb45
├── [1.3M]  Final Project.pdf
├── [ 151]  Fullstack-Demo-Presentation.md
├── [ 181]  Googledrive-link-Machine.md
├── [5.2K]  README.md
├── [ 14M]  Screencast-version.mp4
└── [4.0K]  Screenshots
    ├── [143K]  screen.png
    ├── [ 71K]  Screenshot from 2019-09-17 10-28-25.png
    ├── [100K]  Screenshot from 2019-09-17 10-29-05.png
    ├── [ 73K]  Screenshot from 2019-09-17 10-29-16.png
    ├── [123K]  Screenshot from 2019-09-17 10-29-46.png
    ├── [ 27K]  Screenshot from 2019-09-17 10-30-05.png
    ├── [ 44K]  Screenshot from 2019-09-17 10-33-32.png
    ├── [469K]  Screenshot from 2019-09-17 13-05-14.png
    ├── [457K]  Screenshot from 2019-09-17 13-05-29.png
    ├── [379K]  Screenshot from 2019-09-17 13-05-43.png
    ├── [336K]  Screenshot from 2019-09-17 13-06-04.png
    ├── [ 28K]  Screenshot from 2019-09-17 14-10-14.png
    ├── [ 94K]  Screenshot from 2019-09-17 16-35-09.png
    ├── [ 61K]  Screenshot from 2019-09-17 16-37-50.png
    ├── [ 96K]  Screenshot from 2019-09-17 16-38-42.png
    ├── [ 51K]  Screenshot from 2019-09-17 16-39-04.png
    ├── [117K]  Screenshot from 2019-09-17 16-39-20.png
    ├── [132K]  Screenshot from 2019-09-17 16-39-44.png
    ├── [185K]  Screenshot from 2019-09-17 16-40-27.png
    ├── [208K]  Screenshot from 2019-09-19 15-09-27.png
    ├── [ 64K]  Screenshot from 2019-09-19 15-19-07.png
    ├── [ 73K]  Screenshot from 2019-09-19 15-19-39.png
    └── [ 92K]  wte.png

1 directory, 28 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。