PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1255/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
|_http-favicon: Plex
|_http-title: Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
we have
Looks like we have two web servers running port 80, 32400
DNS is open, maybe zone transfer
port 1255 we have UPnP (Universal Plug and Play): A networking protocol that allows compliant devices to automatically set port forwarding rules for themselves, version 1.0.5.13
First lets perform a zone transfer DNS PORT 53
come back to this
Lets check out the webserver on port 80
we are bought to a plank page
we can confirm the lighttpd version 1.4.35
Lets run feroxbuster and see if we can find anything else
We find `http://10.10.10.48/admin/
Worth looking into when we finish enumerating
we find one directory `http://10.10.10.48/versions`, when we navigate to the directory we gain a .txt file with version numbers but nothing specified
Not sure what this is
**HTTP PORT 32400**
when we navigate to http://10.10.10.48:32400 we can see the following
Lets see if we can perform some feroxbusting and find anything
looks like there may be security inplace to prevent directory busting as we are getting 200s for everything
Lets create an account an inspect the request with burp
unable to create account, the application seems to be having password complications
So far our best bet is the pi-hole interface we found within the http://10.10.10.48
What is pi-hole: A network wide ad blocker designed to function as a DNS sinkhole, it primary purpose is to block any unwanted content
Most of the time these pi-hole interface's would be associated with a raspberry pie, meaning there could be a raspberry pie IoT device in the network
After a quick google search we find that the IoT device (Raspberry pi) often has SSH connection to the target server and the default credentials are pi: raspberry
Lets see if we can SSH into the machine
we now have access as pi on the target machine
When we check our sudo privileges we can see the following
we can simple sudo su and we are root
Now trying to find the root
when we cat out the root.txt we see the following
Looking in the /media/usb we can see the following note
Lets see if we can create a image of the usb stick and enumerate it on our local machine
Now we can download it onto our local machine
Now we can run strings and see if we can find anything interesting
