InsanityHosting_Webmin

Webmin

---

An internal Webmin instance has been identified on the insanityhosting.vm host.

[elliot@insanityhosting ~]$ systemctl status webmin.service
● webmin.service - LSB: web-based administration interface for Unix systems
   Loaded: loaded (/etc/rc.d/init.d/webmin; bad; vendor preset: disabled)
   Active: active (running) since Fri 2024-08-02 22:14:57 BST; 11 months 0 days ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1011 ExecStart=/etc/rc.d/init.d/webmin start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/webmin.service
           └─1437 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
 
[elliot@insanityhosting ~]$ cat /etc/rc.d/init.d/webmin
#!/bin/sh
# chkconfig: 235 99 10
# description: web-based administration interface for Unix systems
#
### BEGIN INIT INFO
# Provides:          webmin
# Required-Start:    $local_fs $network $syslog
# Required-Stop:     $local_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: web-based administration interface for Unix systems
# Description:       Webmin is a web-based interface for system administration
#                    for Unix. Using Webmin you can configure DNS, Samba, NFS,
#                    local/remote filesystems and more using your web browser.
### END INIT INFO
 
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="web-based administration interface for Unix systems"
NAME=Webmin
PIDFILE=/var/webmin/miniserv.pid
SCRIPTNAME=/etc/init.d/$NAME
START=/etc/webmin/start
STOP=/etc/webmin/stop
RELOAD=/etc/webmin/reload
LOCKFILE=/var/lock/subsys/webmin
CONFFILE=/etc/webmin/miniserv.conf
 
case "$1" in
start)
	$START >/dev/null 2>&1 </dev/null
	RETVAL=$?
	if [ "$RETVAL" = "0" ]; then
		touch $LOCKFILE >/dev/null 2>&1
	fi
	;;
stop)
	$STOP
	RETVAL=$?
	if [ "$RETVAL" = "0" ]; then
		rm -f $LOCKFILE
	fi
	;;
status)
	pidfile=`grep "^pidfile=" $CONFFILE | sed -e 's/pidfile=//g'`
	if [ "$pidfile" = "" ]; then
		pidfile=$PIDFILE
	fi
	if [ -s $pidfile ]; then
		pid=`cat $pidfile`
		kill -0 $pid >/dev/null 2>&1
		if [ "$?" = "0" ]; then
			echo "$NAME (pid $pid) is running"
			RETVAL=0
		else
			echo "$NAME is stopped"
			RETVAL=1
		fi
	else
		echo "$NAME is stopped"
		RETVAL=1
	fi
	;;
restart)
	$STOP ; $START
	RETVAL=$?
	;;
reload|force-reload)
	$RELOAD
	RETVAL=$?
	;;
*)
	echo "Usage: $0 {start|stop|restart|reload|force-reload|status}" >&2
	RETVAL=1
	;;
esac
exit $RETVAL
 
 
[elliot@insanityhosting ~]$ cat /etc/webmin/miniserv.conf
cat: /etc/webmin/miniserv.conf: Permission denied

By default, Webmin runs on the port 10000

Tunneling

---

Given that it’s running internally, tunneling would be required to access it.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ sshpass -p elliot123 ssh elliot@insanityhosting.vm -N -L 10000:127.0.0.1:10000

SSH local tunneling

Authentication

---

A Webmin credential was identified in the Firefox profile of the elliot user; root:S8Y389KJqWpJuSwFqFZHwfZ3GnegUa

Successfully authenticated. N/A