Today we are going to do a walkthrough of Source: 1 from Vulnhub.com. After getting the VM set up in VMWare Player, we start with our standard nmap scans.
Port tcp/10000 is identified as MiniServ 1.890, so even before checking out the website my first thought was to search for vulnerabilities. A Google search of “miniserv 1.890 exploit” reveals a link for a Remote Code Execution Exploit: https://medium.com/@foxsin34/webmin-1-890-exploit-unauthorized-rce-cve-2019-15107-23e4d5a9c3b4
Download the Python script from the Github site and give it a try:
Wow, the RCE exploit has us executing commands as root! At this point, we can grab the root flag and call it a day.
However, let’s go further and try to get a root shell. I tried to execute a number of root shells directly via the RCE, including nc, perl, python, etc. but had no luck. Then I attempted to upload several shells and finally got a hit with the NetCat OpenBSD shell from payloadsallthethings. Keep this one in your toolbelt, as it has worked for me several times lately when the more common netcat, python, etc. shells haven’t.
Don’t forget to first launch your listener with “nc -nvlp 8001”. On my attacking machine, I created a file shell.sh with the NetCat OpenBSD shell code.
Launch SimpleHTTPServer with “sudo python -m SimpleHTTPServer 80” and then upload the shell script to the target with wget.
Make the script executable.
Then run the script.
We get a root shell!
Thanks for reading. Did you get a shell another way? Leave me a comment with how you did it.
