PriviaHub “Minister” Machine Solution

This article describes the solution steps for the retired machine named “MINISTER” on the PriviaHub platform. First, a scan was initiated to identify the open ports on the machine, the current services running on those open ports, and the operating system. The scan was performed using the NMAP tool by running the command nmap -A <<IP_Address>> -v. The -A parameter performs SYN scanning, current service version scanning, operating system scanning and traceroute scanning. The -v parameter is used to provide detailed information.

The scan results revealed that TCP port 8000 is open, and the service running on this port is the MiniServ service used by the Webmin application. The scan results are shown in Figure 1.

Access was provided to the Webmin application via port 8000 using a web browser. Webmin is a web-based system configuration application for Unix-based systems.

According to the scan results, version 1.920 of the Webmin application is running on the system. An exploit search for the Webmin application was performed using a search engine. The search results are shown in Figure 3.

The search revealed that version 1.920 of Webmin is affected by an RCE vulnerability. This vulnerability, coded CVE-2019-15107, originates from the “old” parameter — to which the old password is assigned during a password change (if password changes are allowed). Attackers can remotely execute commands with root privileges on the target system by assigning a system command after the “| (pipe)” character to the “old” parameter. What makes this vulnerability particularly critical is that attackers can exploit it without authentication. The Metasploit module published on Exploit DB for exploiting the vulnerability is shown in Figure 4.

After downloading the module, it can be placed among the Metasploit-Framework exploit modules on Kali Linux (/usr/share/metasploit-framework/modules/exploits/…) and accessed via the Metasploit console application. The options for the Metasploit module corresponding to the CVE-2019-15107 vulnerability are shown in Figure 5.

According to the options, the “RHOSTS”, “RPORT” and “TARGETURI” parameters are mandatory. The HOST/IP information of the target system must be assigned to the RHOSTS parameter. Since Webmin runs on port 10000 by default, the RPORT parameter defaults to 10000. However, since Webmin is running on port 8000 on the target system, the value 8000 will be assigned to RPORT. TARGETURI must specify the root directory of the Webmin application. Along with the module’s parameters, the “cmd/unix/reverse_python” payload is included among the module options by default. This payload enables a reverse connection to be obtained from UNIX systems via the Python programming language. The values assigned to the parameters are shown in Figure 6.

After assigning the appropriate values to the parameters, the exploit process was initiated with the “exploit” command and a reverse shell connection was obtained from the target system. The reverse shell connection obtained is shown in Figure 7.