Starting the recon process with a nmap scan for all TCP ports shows us services listening on ports 22, 53, 80, 1110, 32400 and 32469
The first one is the HTTP server on port 80. We can see in the following screenshot from a curl request that it’s running a really cool service called Pi-hole:
Next, I take a quick look at the HTTP service on port 32400. We can see it has Plex media server running and we are prompted with a login screen:
First thing I do is quickly firing a brute-force attack against the target SSH using hydra so it runs in the background.
After reading the docs for the Pi-hole I found out there’s an admin UI interface on http://10.10.10.48/admin
But the default password generated by Pi-hole is really hard to guess. So this path is a dead end.
While reading the docs I checked the hydra brute-force has found a valid credential for the SSH. Turned out to be the default user and password from the raspbian install and we have a foothold in the system!
Let’s see if we have root privileges:
Getting the flag
Nice, we are root! But wait… where’s the flag? Buried in a lost file inside a USB drive?
We can read raw data from the USB and recover the file using dd
And that’s it! Hope you enjoyed this one!