# nmap -sC -sV -v -Pn 10.0.0.25
...............................
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 2f:bf:51:ff:a1:10:9c:36:99:48:74:01:81:e4:43:50 (RSA)
| 256 21:df:59:d5:43:27:90:7e:c8:9e:92:2a:a4:b7:f2:03 (ECDSA)
|_ 256 ff:42:47:41:de:5a:6b:68:cc:9c:9b:80:8e:af:06:61 (ED25519)
80/tcp closed http
443/tcp closed https
10000/tcp open http MiniServ 1.962 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 592A62B1EC4A86A9141B77AB1BECD580
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: MiniServ/1.962
|_http-title: Site doesn't have a title (text/html; Charset=utf-8).
# nmap --script=http-vuln* 10.0.0.25
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-29 14:12 EDT
Nmap scan report for 10.0.0.25
Host is up (0.024s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
| http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_ http://www.exploit-db.com/exploits/1997/
Temos um webmin 1.9 rodando no porta 10000
Existem alguns explois interessantes para webmin, mas alguns deles demandam que a funcionalidade de trocar de senha expirada esteja ativa, mas neste caso não está!