1. Content overview:
Try to enter the file system with Cisco RV325 and make some modifications.
Full body appearance:
2. Web-side analysis process:
Account: cisco
password:......
First visit the web page of 192.168.1.1 (no Chinese option ~ hateful)
After entering the user name and password, the interface is as follows
Get it around and add a static routing table
Three, remote link RV325:
The purpose is to link to RV325 and restart the web
But there is no debugging interface,
1. Scan with nmap first
2. Found port 22, that is, SSH port is open, use putty link
But tried many commands: ls, ifconfig, insmod, uname, id, pwd, lsmod, sudo
Commod or filename not found error appears
There is no information on the Internet to explain the reason, but if the inquiry is learned that it is only a general operation, it will not enter the file system, so there will be no corresponding command
3. It is necessary to obtain root privileges through vulnerabilities (CVE-2019-1652 and CVE-2019-1653, etc.). After searching the information online, the available commands are as follows
The equipment commands include a collection of commands for installation and login, file processing, system management, network operation, system security, and other functions.
Four, mistakes
After canceling all services on the Firewall interface on the web side, I found that I cannot continue to log in with the web side.
Scanning the ports again, it is found that ports 443 and 22 have been closed. . Don't know how to link
1. Reset the router and try to remedy it
Remedial failure
2、
Call the after-sales service hotline 4006680046
The customer service lady said to register a Cisco account and provide the company address. It was a little troublesome, so she gave up this route.
3. Access through port 80 and 8008 is not possible, try to access port 8000
Via http://192.168.1.1:8000
Successful visit
Reopen the port
Five, use vulnerabilities to enter the file system
1. Find the POC about CVE-2019-1653 on the vulnerability website
https://www.exploit-db.com/exploits/46262
I.e. request https://192.168.1.1/cgi-bin/config.exp
After execution, you can get RV325 configuration information (including password hash and other information) without logging in
2. Use the POC of CVE-2019-1652
https://www.exploit-db.com/exploits/46655
Not very familiar with MSF for the time being, so I haven't finished
In the past two days, I completed the process and finished the blog, making some contributions to the eco-environment of the code farmer.