- Vulnerability: pi-hole default id / password
- Explanation: default installation without changing password
- Vulnerability: sudo full access
- Explanation: pi user can escalate using sudo
nmap -p- -A -T4 10.10.10.48
TCP 22: OpenSSH 6.7p1 TCP 53: dnsmasq 2.76 TCP 80: lighttpd 1.4.35 TCP 1834, 32469: Platinum UPnP 18.104.22.168 TCP 32400: Plex Media Server httpd
Initial Shell Exploitation
Let’s first check out the website at port 80
Oh! It’s a blank page. Then let’s see if gobuster directory scan will give us something
gobuster dir -u http://10.10.10.48/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"
There’s a folder admin. Let’s check it out!
All right! It’s admin page for Pi-hole. Pi-hole has default id/password of pi:raspberry.
Let’s try that using ssh:
Initial shell obtained. That’s pretty straight forward.
Note: I did spent some time searching for exploitable vulnerabilities on other services including pi-hole, dnsmasq and plex before this. A classic example we should try out default id/password first.
User flag is obtained easily:
Getting to root is also simple:
User pi can use sudo freely. sudo su brings us to root straight away. Now, on to root flag:
Ok. Root flag is less straight forward as getting root shell. lol
It hinted we may find it in USB stick. So I run the command df:
Looks like /media/usbstick is the spot. Let’s check it out.
Ok. We got second hint that the files were deleted by James. Great.
In general, deleting files do not actually clear the data stored in the drive. We just don’t have the file pointer the reference the data anymore. But we may still be able to find the information by examine what is stored in the drive. So let’s make a copy of the USB drive using command dd.
dd if=/dev/sdb of=/tmp/usb.image
Then we can examine text data in the file usb.image.
There we go. We find the root flag! Mission accomplished.
Thank you for the box Mirai, Arrexel!