# IOTGoat OWASP | Walkthrough
> Copyright to book.redsquad.xyz
## Prerequisites
```bash
# get the iotgoat .img for static analysis and .vmdk for dynamic analysis (run it locally)
https://github.com/OWASP/IoTGoat/releases
# packets
apt update
apt install binwalk
apt install squashfs-tools
# TOOLS
# firmwalker
mkdir tools
cd tools
git clone https://github.com/scriptingxss/firmwalker.git
# testssl
git clone https://github.com/drwetter/testssl.sh.git
# linpeas
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
```
## Static Analysis
**Get the IOTGoat .img file.**
### Binwalk
```bash
# Scan to identify code, files and other information
binwalk IOTGoat.img
# Recursively extract the firmware and decompress the file
binwalk -reM IOTGoat.img
```
*Squashfs filesystem, little endian, version 4.0, compression:xz*
```bash
# extract the .img file and save it as a .bin file
dd if=IoTGoat-raspberry-pi2.img bs=1 skip=29360128 of=iotgoat.bin
```
**.bin analysis :**
It is a squashfs file system so we can use **unsquashfs**, which will allow us to unpack the squashfs file system:
### 🐞 Vulnerabilities
#### ⚔️ No 1. Weak, Guessable or Harcoded Passwords
> Use of easily found, publicly available, or unmodifiable credentials, including backdoors in firmware or client software that allow unauthorized access to deployed systems.
**Firmwalker**
{% hint style="info" %}
This tool allows us to search the extracted firmware file system for **juicy elements** (*passwords, keys, info leak, etc*).
{% endhint %}
```bash
./firmwalker.sh ../firmware/_IoTGoat.img.extracted/squashfs-root/ ./IoTGoat.txt
```
Excerpt :
```bash
# in the squashfs folder of the unpacked firmware
cat etc/shadow
# output :
root:$1$Jl7H1VOG$Wgw2F/C.nLNTC.4pwDa4H1:18145:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
iotgoatuser:$1$79bz0K8z$Ii6Q/if83F1QodGmkb4Ah.:18145:0:99999:7:::
```
We have 2 password hashes: root and a user **iotgoatuser**.
#### **Bruteforce SSH**
With the user found, we try a **bruteforce** attack on the ssh service (port 22).\
We use the **mirai-botnet** wordlist of **SecLists**
```bash
# We want to filter only on the passwords because the list is of form user:password
awk '{print $2}' /usr/share/SecLists/Passwords/Malware/mirai-botnet.txt > /usr/share/SecLists/Passwords/Malware/mirai_pass.txt
# Bruteforce with Hydra
hydra -f -t 4 -l iotgoatuser -P /usr/share/SecLists/Passwords/Common-Credentials/mirai_pass.txt ssh://137.74.253.251
```
> **Credentials :**\
> iotgoatuser:7ujMko0vizxv
#### ⚔️ No 6: Insufficient Privacy Protection
> User's personal information stored on the device or in the ecosystem that is used in an insecure, inappropriate or unauthorized manner.
Firmwalker found a database containing personal information, unsecured since it was stored locally:
This allowed us to extract unsecured sensitive information :\\
## ⬛ Dynamic Analysis (1)
### 🐞 Vulnerabilities & Exploits
#### ⚔️ No 2. Insecure Network Services
> Unnecessary or unsecured network services running on the device itself, especially those exposed to the Internet, can compromise the confidentiality, integrity/authenticity, or availability of information or allow an attacker to gain unauthorized remote control.
1. **Exposed services**
```bash
❯ nmap -A -Pn 192.168.197.132
PORT STATE SERVICE VERSION
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
119/tcp open nntp
143/tcp open imap
443/tcp open https
465/tcp open smtps
563/tcp open snews
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
5000/tcp open upnp
5515/tcp open unknown
65534/tcp open unknown
```
Due to a lack of restriction in network filtering, some services are exposed on the Internet. This can potentially allow an attacker to identify vulnerabilities in services that are often more vulnerable.
**2. MiniUPnP 2.1**\
The MiniUPnP version is vulnerable to these exploits:
* **Use after free** vulnerability (*CVE-2019-12106*)
* **Information disclosure** vulnerability (*CVE-2019-12107*)
* Multiple **DoS** vulnerabilities due to NULL pointer dereferences (*CVE-2019-12108, CVE-2019-12109, CVE-2019-12110, CVE-2019-12111*)
**3. dnsmasq 2.73**
The version of dnsmasq is outdated and vulnerable to 20 exploits:
%20\(1\).png?alt=media)
Some **PoC** are available here :
{% embed url="" %}
{% hint style="warning" %}
**Unfortunately, we were unable to test these exploits because the virtual network interfaces had problems accessing IoTGoat and running the UPnP and Dnsmasq exploits.**
{% endhint %}
**4. DropBear 2017.75-7.1**\\
This version is **vulnerable to 4 exploits** :
Moreover, a vulnerability is present in the configuration file: the **possibility to connect as root via ssh** is enabled:
#### ⚔️ No 7: Insecure Data Transfer
> Lack of encryption or access control of sensitive data.
We use the **testssl.sh** tool, which allows us to check the service of a server on any port for support of TLS/SSL encryptions, protocols as well as recent cryptographic flaws and more.
The cipher suites used (*CBC*) by the web service are **obsolete** :
Also:
* The certificate does not match the URI provided,
* Certificate is **self-signed** (null trust chain)
* No CRL or OCSP URI provided
Moreover, the **HSTS** header is not implemented on the Web service and no security header is implemented:
The web service is potentially vulnerable to **Lucky13** :
**2.** Finally, running an OWASP ZAP scan on the web service :
* The absence of the **X-Frame-Options** header
* Could lead to a **ClickJacking** attack.
* Absence of **Anti-CSRF** token
* Could lead to a **CSRF** attack via one of the forms.
Finally, **port 25 is open** on the machine, allowing the use of **telnet**, a non-secure communication protocol.
**🚪 Root BackDoor - PoC**
After having decrypted the password of the **iotgoatuser** user, we connect to the machine with ssh.\
Many manual tests have been done to try to **escalate privileges** and become root (*cf.* [*https://hackerbible.gitbook.io/en/pentest-linux/privilege-escalation/manual-checks*](https://hackerbible.gitbook.io/en/pentest-linux/privilege-escalation/manual-checks)).\
For example, we have run **Linpeas** on the machine in order to try to find points of privilege escalation attempts:
Linpeas allowed us to list the active ports on the machine, this allowed us to see 2 interesting ports open on the machine: **5515** and **65534**.
The port **65534** is open on the machine, we try to connect to it with netcat :
We were not able to crack the root password, so this backdoor is not useful because we can only connect as *iotgoatuser*.
Also, the port **5515** is open. We try to connect to it with netcat :
This reverse shell gives us access as a **root** so we can **change its password** in order to access the web interface:
> \*Since this is an OpenWRT router, the SSH password and the root web interface password are the same.
## ⬜ Dynamic Analysis (2)
### 🔎 OSINT
New root password on the web interface: **password**
**Website Tree** (after authentication) :
### 🐞 Vulnerabilities & Exploits
#### ⚔️ No 5. Use of Insecure or Outdated Components
> Use of outdated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.
**1. Busybox 1.28.4**
This version of Busybox is potentially vulnerable to 14 exploits (*cf.* [*https://cyber.vumetric.com/vulns/busybox/busybox/1-28-4/*](https://cyber.vumetric.com/vulns/busybox/busybox/1-28-4/))
**2. Linux Kernel 4.14.95**
This version of Kernel **is** from **2017**. Thus, it is potentially vulnerable to 25 exploit (*cf.* [*https://www.security-database.com/cpe.php?detail=cpe%3A2.3%3Ao%3Alinux%3Alinux\_kernel%3A4.14.95%3A\*%3A\*%3A\*%3A\*%3A\*%3A\*%3A\**](https://www.security-database.com/cpe.php?detail=cpe%3A2.3%3Ao%3Alinux%3Alinux_kernel%3A4.14.95%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A))
**3. pppd version 2.4.7**
This version of pppd is vulnerable to a denial of service and arbitrary code execution attack(*cf.* [*https://www.cyberveille-sante.gouv.fr/cyberveille/1646*](https://www.cyberveille-sante.gouv.fr/cyberveille/1646)).
#### ⚔️ No 4. Lack of Secure Update Mecanism
> Lack of security updates. This includes lack of firmware validation on the device, lack of secure encryption, lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
* **OpenWRT Version :**\\
%20\(2\).png?alt=media)
This version is **vulnerable** to **21 exploits** :\\
**CVE-2020-7982 - PoC**
{% embed url="" %}
#### ⚔️ No 3. Insecure Ecosystem Interfaces
> Unsecured web interfaces, APIs, mobile devices in the ecosystem, can allow the device or its related components to be compromised. The most common issues are lack of authentication/authorization, lack of or weak encryption, and lack of input and output filtering.
**CVE-2019-18992 - PoC**
> OpenWrt 18.06.2 is vulnerable to a **stored XSS attack** via these fields at the URI */cgi-bin/luci/admin/network/firewall/rules*: "**Open ports on router**", "**New forward rule**" and "**New Source NAT**".
An XSS payload has been inserted in */cgi-bin/luci/admin/network/firewall/rules*, in the **New Forward Rule** field.
Then we click on *Edit* to trigger the XSS :\\
This XSS is also present in the **New Forward Rule** and **New Source Nat** fields, as well as in **Traffic Rules Name**.
**CVE-2019-18993 - PoC**
> OpenWrt 18.06.4 is vulnerable to **XSS attack stored** via the "New port forward" field at the URI /cgi-bin/luci/admin/network/firewall/forwards
This XSS payload has been inserted in */cgi-bin/luci/admin/network/firewall/forwards*, in the **New Port Forward** field:
```html
```
By clicking on *Edit*, we trigger the XSS :\\
**CVE-2019-25015 - PoC**
> LuCI in OpenWrt versions **18.06.0 to 18.06.4** contains a **XSS vulnerability stored** via a modified SSID.
An XSS payload was inserted in */cgi-bin/luci/admin/network/wireless/wl0.network1* in the **ESSID** field.
Then we click on **Save & Apply,** to trigger the XSS :
#### Lack of Anti Bruteforce Mechanism
We were able to test a brute force attack on the web application folders with the BurpSuite tool. This one does not implement any anti-bruteforce mechanism.\\
**Command Execution**
There is a page *cgi-bin/luci/admin/iotgoat* on the web service :\\
At the root of **/iotgoat**, we find this *hidden* page:\\
This is a **Command Execution** vulnerability, allowing us to access the ash shell as **root** :\\
From there, an attacker might be able to **take full control** of the machine.
**DOS - CVE-2019-19945 - PoC**
> uhttpd in OpenWrt versions up to 18.06.5 and 19.x up to 19.07.0-rc2 has an integer signature error. This leads to an out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered by an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.
{% embed url="" %}
#### ⚔️ No 8. Lack of Device Management
> Lack of security support on production-deployed devices, including asset management, update management, secure decommissioning, system monitoring and response capabilities.
Logs are not enabled :
In addition, OpenWRT packages are **not updated by default.**
#### ⚔️ No 9: Insecure Default Settings
> Devices or systems are shipped with unsecured default settings or lack the ability to make the system more secure by preventing operators from changing configurations.
* Using the default **root** user to log in to the web interface
* UPnp enabled by default and without *secure mode*
