Internet of Insecure Things

A couple of weeks back, I got the opportunity of pentesting an IoT device. To give a brief background, it was a Pi running Apache which served static content. Recently, there has been a lot of focus on IoT security, especially after the havoc created by malware like Mirai, VPNFilter, ForgotDoor. Following post contains details of how a simple configuration flaw led to code execution in one of the IoT devices.

First things first, I wanted to check what ports are exposed and what services are run on the device. The NSE script http-git had found that the .git/ folder is public and the application is written in PHP which nmap guessed from the .gitignore file.

[nishaanthguna:~/pentest]$ nmap -vvv -A -Pn -p- http://website.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-01-18 12:46 IST
...
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.25 ((Raspbian))
| http-git:
|   102.X.X.X:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     .git/COMMIT_EDITMSG matched patterns 'passw' 'user' 'uid'
|     Repository description: Unnamed repository; edit this file 'description'...
|     Last commit message: <!DOCTYPE html> <html> <head> <meta charset="utf-8"> ...
|     Remotes:
|       https://github.com/someuser/something.git
|_    Project type: PHP application (guessed from .gitignore)

Great! We can recursively download the .git folder from the webpage and try to rebuild the repository.

[nishaanthguna:~/pentest]$ wget --mirror --include-directories=/.git http://website.com/.git/
Connecting to website.com (website.com)|102.x.x.x|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3408 (3.3K)
...

[nishaanthguna:~/pentest]$ git reset --hard
HEAD is now at d2cvae8 Tampered but not notified

On hard resetting, it reverts back to the previous commit throwing away all the uncommitted changes. On grepping for passwords, there was a temporary file with database password in cleartext.

db-config-password

The MySQL port 3306 was open and was accessible from outside the box. After this, I wanted to escalate this to execute commands. While researching, found a blog which explains how to upload shells by exploiting SQL Injection. That would work.

Tried to push a simple PHP shell into the webroot which executes commands passed through URL parameters.

shell-error

Maybe the Apache server and MySQL server are owned by two different users and the MySQL user does not have permission to write to the webroot. After this, I was reading about other techniques to execute commands but most of them pointed towards the same thing except for UDF exploitation. Unfortunately, the plugin folder of MySQL also didn’t have write permissions rendering the above technique unusable.

Just when I was about to give up, Jaggu suggested me to try writing the shell in all the directories and not only webroot. And, it worked! I was able to upload the shell in downloads/ folder because of misconfigured permissions.

shell-success

From here, I was able to get a reverse shell using Python.

python-shell python-shell2

To elevate the permission to root, I tried running dirtycow which had been patched. Tried a few other exploits which didn’t work either.

If you are want to keep yourself updated about IoT malware, I highly recommend following Ankit.

Think I should have approached the target differently? Or used a specific exploit to root the box? Please do let know your feedback and comments below.

comments powered by Disqus