Walla
Pg Practice Walla writeup
Nmap
Connecting to port 8091 asks credentials for "RaspAP". Which is Debian based software for wireless routers.
Looking up the default credentials we can log in with admin:secret
.
Checking the settings we are running version 2.5. PoC exist here:https://raw.githubusercontent.com/lb0x/cve-2020-24572/master/raspap_pwn.py. However I was unable to get code execution from this.
Looking at the exploit code we can see it is trying to interact with webconsole.php
We can manually browse to this at: http://192.168.233.97:8091/includes/webconsole.php.
This along with telnet running on the target machine we can obtain a proper reverse shell:
Running linpeas.sh on the target reveals the following interesting information:
As www-data we can delete the file /home/walter/wifi_reset.py and replace it with a python reverse shell of the same name:
Then execute with sudo
as root:
Last updated