Pie
https://www.cyberseclabs.co.uk/labs/info/Pie/
Nmap
HTTP
Unless we opted to brute force SSH on port 22 HTTP on port 80 is going to be our best attack vector. The root page on 172.31.1.26 takes us to the following page for Pi-hole.
I decided to use feroboxbuster to enumerate further web directories. Using the -s switch we can select only results for specific return codes. The -q switch further reduces output.
Browsing to http://172.31.1.26/admin/ we find we are already signed into the administrator's dashboard.
Going to help on the left and scrolling down we can see what version of Pi-hole we are running.
Performing a Google search for Pi-hole exploits one of the top results is from exploit-db.com which I have linked below.
This exploit meets our criteria where is affects versions of Pi-hole 4.4 and before. Other exploits also require knowing the password for authentication in which we do not. This exploit above requires a session cookie in which we can provide since are logged in.
In Firefox whilst logged into the dashboard we can open the console window with CTRL + SHIFT + I.
Move into storage and make a note of the value next to the PHPSESSID. This is our session cookie in which we need for the exploit.
Before we run the exploit start netcat with the following command:
When ready run the exploit with the following syntax:
When checking our netcat listener we should have caught a shell as root.
Last updated
