Walla

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 4000 192.168.197.97
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 22:22 +08
Nmap scan report for 192.168.197.97
Host is up (0.17s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
422/tcp   open  ariel3
8091/tcp  open  jamlink
42042/tcp open  unknown

Telnet is enabled, which is always great. Ran a detailed nmap scan too:

$ sudo nmap -p 22,23,25,53,422,8091,42042 -sC -sV -O --min-rate 3000 192.168.197.97
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-04 22:24 +08
Nmap scan report for 192.168.197.97
Host is up (0.17s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
|   256 f3e510d416a99e034738baac18245328 (ECDSA)
|_  256 024f99ec856d794388b2b57cf091fe74 (ED25519)
23/tcp    open  telnet     Linux telnetd
25/tcp    open  smtp       Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=walla
| Subject Alternative Name: DNS:walla
| Not valid before: 2020-09-17T18:26:36
|_Not valid after:  2030-09-15T18:26:36
|_smtp-commands: walla, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp    open  tcpwrapped
422/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
|   256 f3e510d416a99e034738baac18245328 (ECDSA)
|_  256 024f99ec856d794388b2b57cf091fe74 (ED25519)
8091/tcp  open  http       lighttpd 1.4.53
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: lighttpd/1.4.53
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=RaspAP
42042/tcp open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
|   256 f3e510d416a99e034738baac18245328 (ECDSA)
|_  256 024f99ec856d794388b2b57cf091fe74 (ED25519)

Weak Creds -> Web Console

I took a look at port 8081 first, and found that it had a HTTP login:

We can login with admin:secret and view the dashboard:

This is running RaspAP, which is a wireless router software. We can find the version by heading to 'About RaspAP':

There are RCE exploits for this:

However, we don't actually need any exploits because within the 'System' tab, there's a Console present:

A reverse shell is trivial:

Grab the user flag from the home directory of walter.

Privilege Escalation

Sudo Privileges -> Module RCE

I ran a linpeas.sh scan to enumerate for me. Here's the interesting output:

The wifi_reset.py file looks the easiest to exploit:

This is pretty easy to exploit. We can create a script wificontroller.py and place it within the /home/walter directory. Here's the contents of it:

Then, we can attempt to run the wifi_reset.py script and easily get a root shell:

PreviousVoIPNextWheels

Last updated