> For the complete documentation index, see [llms.txt](https://book.redsquad.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.redsquad.xyz/mobile-hacking/iot/iotgoat-owasp-or-walkthrough.md).

# IOTGoat OWASP | Walkthrough

![](/files/gcl4uE90Rcejcc90i8Tx)

> Copyright to book.redsquad.xyz

## Prerequisites

```bash
# get the iotgoat .img for static analysis and .vmdk for dynamic analysis (run it locally)
https://github.com/OWASP/IoTGoat/releases

# packets
apt update
apt install binwalk
apt install squashfs-tools 

# TOOLS
# firmwalker
mkdir tools
cd tools
git clone https://github.com/scriptingxss/firmwalker.git

# testssl
git clone https://github.com/drwetter/testssl.sh.git

# linpeas
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
```

## Static Analysis <a href="#static-analysis" id="static-analysis"></a>

**Get the IOTGoat .img file.**

### Binwalk <a href="#binwalk" id="binwalk"></a>

```bash
# Scan to identify code, files and other information
binwalk IOTGoat.img

# Recursively extract the firmware and decompress the file
binwalk -reM IOTGoat.img
```

*Squashfs filesystem, little endian, version 4.0, compression:xz*

```bash
# extract the .img file and save it as a .bin file 
dd if=IoTGoat-raspberry-pi2.img bs=1 skip=29360128 of=iotgoat.bin
```

**.bin analysis :**

![](/files/pK3Wd9IoSzjXkvM8vxk4)

It is a squashfs file system so we can use **unsquashfs**, which will allow us to unpack the squashfs file system:

![](/files/yJAPHECkeObRMhh9IcVS)

### 🐞 Vulnerabilities <a href="#lady_beetle-vulnerabilities" id="lady_beetle-vulnerabilities"></a>

#### ⚔️ No 1. Weak, Guessable or Harcoded Passwords <a href="#crossed_swords-no-1-weak-guessable-or-harcoded-passwords" id="crossed_swords-no-1-weak-guessable-or-harcoded-passwords"></a>

> Use of easily found, publicly available, or unmodifiable credentials, including backdoors in firmware or client software that allow unauthorized access to deployed systems.

**Firmwalker**

{% hint style="info" %}
This tool allows us to search the extracted firmware file system for **juicy elements** (*passwords, keys, info leak, etc*).
{% endhint %}

```bash
./firmwalker.sh ../firmware/_IoTGoat.img.extracted/squashfs-root/ ./IoTGoat.txt
```

Excerpt :

![Info leaks](/files/HuUmIycmAb00xIgocFlE)

```bash
# in the squashfs folder of the unpacked firmware
cat etc/shadow

# output :
root:$1$Jl7H1VOG$Wgw2F/C.nLNTC.4pwDa4H1:18145:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
iotgoatuser:$1$79bz0K8z$Ii6Q/if83F1QodGmkb4Ah.:18145:0:99999:7:::
```

We have 2 password hashes: root and a user **iotgoatuser**.

#### **Bruteforce SSH**

With the user found, we try a **bruteforce** attack on the ssh service (port 22).\
We use the **mirai-botnet** wordlist of **SecLists**

```bash
# We want to filter only on the passwords because the list is of form user:password
awk '{print $2}' /usr/share/SecLists/Passwords/Malware/mirai-botnet.txt > /usr/share/SecLists/Passwords/Malware/mirai_pass.txt

# Bruteforce with Hydra
hydra -f -t 4 -l iotgoatuser -P /usr/share/SecLists/Passwords/Common-Credentials/mirai_pass.txt ssh://137.74.253.251
```

> **Credentials :**\
> iotgoatuser:7ujMko0vizxv

#### ⚔️ No 6: Insufficient Privacy Protection <a href="#crossed_swords-no-6-insufficient-privacy-protection" id="crossed_swords-no-6-insufficient-privacy-protection"></a>

> User's personal information stored on the device or in the ecosystem that is used in an insecure, inappropriate or unauthorized manner.

Firmwalker found a database containing personal information, unsecured since it was stored locally:

![](/files/CXkJy9r9CBZxK08J6MgG)

This allowed us to extract unsecured sensitive information :\\

![](/files/DGHhZcBDWmXQeBpe8I8s)

## ⬛ Dynamic Analysis (1) <a href="#dynamic-analysis-black-box-black_large_square" id="dynamic-analysis-black-box-black_large_square"></a>

### 🐞 Vulnerabilities & Exploits <a href="#lady_beetle-vulnerabilities-exploits" id="lady_beetle-vulnerabilities-exploits"></a>

#### ⚔️ No 2. Insecure Network Services <a href="#crossed_swords-no-2-insecure-network-services" id="crossed_swords-no-2-insecure-network-services"></a>

> Unnecessary or unsecured network services running on the device itself, especially those exposed to the Internet, can compromise the confidentiality, integrity/authenticity, or availability of information or allow an attacker to gain unauthorized remote control.

1. **Exposed services**

```bash
❯ nmap -A -Pn 192.168.197.132

PORT    STATE SERVICE        VERSION
22/tcp  open  ssh            
25/tcp  open  smtp			 
53/tcp  open  domain		
80/tcp  open  http			
110/tcp open  pop3			 
119/tcp open  nntp
143/tcp open  imap
443/tcp open  https
465/tcp open  smtps
563/tcp open  snews
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s
5000/tcp  open   upnp		 
5515/tcp  open   unknown
65534/tcp open	 unknown
```

Due to a lack of restriction in network filtering, some services are exposed on the Internet. This can potentially allow an attacker to identify vulnerabilities in services that are often more vulnerable.

**2. MiniUPnP 2.1**\
The MiniUPnP version is vulnerable to these exploits:

* **Use after free** vulnerability (*CVE-2019-12106*)
* **Information disclosure** vulnerability (*CVE-2019-12107*)
* Multiple **DoS** vulnerabilities due to NULL pointer dereferences (*CVE-2019-12108, CVE-2019-12109, CVE-2019-12110, CVE-2019-12111*)

**3. dnsmasq 2.73**

![](/files/FWMCeDwpuMFPk455Qhyn)

The version of dnsmasq is outdated and vulnerable to 20 exploits:

![1](/files/kkeRrdCMNw777c9QmwxW)

![2](/files/ZfTnfZZUc7tgLzlhrDtc)

Some **PoC** are available here :

{% embed url="<https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq>" %}

{% hint style="warning" %}
**Unfortunately, we were unable to test these exploits because the virtual network interfaces had problems accessing IoTGoat and running the UPnP and Dnsmasq exploits.**
{% endhint %}

**4. DropBear 2017.75-7.1**\\

![](/files/WJBNg1sQWqPEMV1kejv5)

This version is **vulnerable to 4 exploits** :

![](/files/RkW6QngmNY6d7pxGNmjT)

![](/files/tDSyMJGdYIvn1Ux67kid)

![](/files/X49ZCsbWIXo8ckwEe5ea)

![](/files/YtyaFiKxISrqJ3frvQhT)

Moreover, a vulnerability is present in the configuration file: the **possibility to connect as root via ssh** is enabled:

![](/files/MVUtNyCWztsY2OXlJgn9)

#### ⚔️ No 7: Insecure Data Transfer <a href="#crossed_swords-no-7-insecure-data-transfer" id="crossed_swords-no-7-insecure-data-transfer"></a>

> Lack of encryption or access control of sensitive data.

We use the **testssl.sh** tool, which allows us to check the service of a server on any port for support of TLS/SSL encryptions, protocols as well as recent cryptographic flaws and more.

The cipher suites used (*CBC*) by the web service are **obsolete** :

![](/files/9RgwYHCKVa2JeCCXTXxa)

Also:

* The certificate does not match the URI provided,
* Certificate is **self-signed** (null trust chain)
* No CRL or OCSP URI provided

![](/files/x0IH3s20zKRr9Job0Qa5)

Moreover, the **HSTS** header is not implemented on the Web service and no security header is implemented:

![](/files/zX6qZNItABlggy1uLAu5)

The web service is potentially vulnerable to **Lucky13** :

![](/files/Pdinc4TYfUjxkYt5GvPC)

**2.** Finally, running an OWASP ZAP scan on the web service :

![](/files/1kh3tdPkkjlETotP6xbj)

* The absence of the **X-Frame-Options** header
  * Could lead to a **ClickJacking** attack.
* Absence of **Anti-CSRF** token
  * Could lead to a **CSRF** attack via one of the forms.

Finally, **port 25 is open** on the machine, allowing the use of **telnet**, a non-secure communication protocol.

**🚪 Root BackDoor - PoC**

After having decrypted the password of the **iotgoatuser** user, we connect to the machine with ssh.\
Many manual tests have been done to try to **escalate privileges** and become root (*cf.* [*https://hackerbible.gitbook.io/en/pentest-linux/privilege-escalation/manual-checks*](https://hackerbible.gitbook.io/en/pentest-linux/privilege-escalation/manual-checks)).\
For example, we have run **Linpeas** on the machine in order to try to find points of privilege escalation attempts:

![](/files/0eXeaowgnETgMZLfAi5R)

Linpeas allowed us to list the active ports on the machine, this allowed us to see 2 interesting ports open on the machine: **5515** and **65534**.

The port **65534** is open on the machine, we try to connect to it with netcat :

![](/files/tvFriAZPtDiTjK1BkU5m)

We were not able to crack the root password, so this backdoor is not useful because we can only connect as *iotgoatuser*.

Also, the port **5515** is open. We try to connect to it with netcat :

![](/files/4LG9ht5P3xnBvS0z3qy4)

This reverse shell gives us access as a **root** so we can **change its password** in order to access the web interface:

![](/files/vC6wyR1dLpTY4H3lWBOU)

> \*Since this is an OpenWRT router, the SSH password and the root web interface password are the same.

## ⬜ Dynamic Analysis (2) <a href="#dynamic-analysis-white-box-white_large_square" id="dynamic-analysis-white-box-white_large_square"></a>

### 🔎 OSINT <a href="#mag_right-osint" id="mag_right-osint"></a>

New root password on the web interface: **password**

**Website Tree** (after authentication) :

![](/files/seMx10pLHsI7LyixGJ4V)

### 🐞 Vulnerabilities & Exploits <a href="#lady_beetle-vulnerabilities-exploits-2" id="lady_beetle-vulnerabilities-exploits-2"></a>

#### ⚔️ No 5. Use of Insecure or Outdated Components <a href="#crossed_swords-no-5-use-of-insecure-or-outdated-components" id="crossed_swords-no-5-use-of-insecure-or-outdated-components"></a>

> Use of outdated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.

**1. Busybox 1.28.4**

![](/files/T8lual8kKscsgK0lvmvo)

This version of Busybox is potentially vulnerable to 14 exploits (*cf.* [*https://cyber.vumetric.com/vulns/busybox/busybox/1-28-4/*](https://cyber.vumetric.com/vulns/busybox/busybox/1-28-4/))

**2. Linux Kernel 4.14.95**

![](/files/njSsYW9zsNKOA6X1akNC)

This version of Kernel **is** from **2017**. Thus, it is potentially vulnerable to 25 exploit (*cf.* [*https://www.security-database.com/cpe.php?detail=cpe%3A2.3%3Ao%3Alinux%3Alinux\_kernel%3A4.14.95%3A\*%3A\*%3A\*%3A\*%3A\*%3A\*%3A\**](https://www.security-database.com/cpe.php?detail=cpe%3A2.3%3Ao%3Alinux%3Alinux_kernel%3A4.14.95%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A))

**3. pppd version 2.4.7**

![](/files/vGRSrvCzGOKHDjQUhQex)

This version of pppd is vulnerable to a denial of service and arbitrary code execution attack(*cf.* [*https://www.cyberveille-sante.gouv.fr/cyberveille/1646*](https://www.cyberveille-sante.gouv.fr/cyberveille/1646)).

#### ⚔️ No 4. Lack of Secure Update Mecanism <a href="#crossed_swords-no-4-lack-of-secure-update-mecanism" id="crossed_swords-no-4-lack-of-secure-update-mecanism"></a>

> Lack of security updates. This includes lack of firmware validation on the device, lack of secure encryption, lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.

* **OpenWRT Version :**\\

![](/files/peyEBrec3iCVebFpOXOu)

This version is **vulnerable** to **21 exploits** :\\

![](/files/mu6H838qwzElAjMY0Uld)

![](/files/OAKUet6sbsV6YbO21a76)

**CVE-2020-7982 - PoC**

{% embed url="<https://forallsecure.com/blog/uncovering-openwrt-remote-code-execution-cve-2020-7982>" %}

#### ⚔️ No 3. Insecure Ecosystem Interfaces <a href="#crossed_swords-no-3-insecure-ecosystem-interfaces" id="crossed_swords-no-3-insecure-ecosystem-interfaces"></a>

> Unsecured web interfaces, APIs, mobile devices in the ecosystem, can allow the device or its related components to be compromised. The most common issues are lack of authentication/authorization, lack of or weak encryption, and lack of input and output filtering.

**CVE-2019-18992 - PoC**

> OpenWrt 18.06.2 is vulnerable to a **stored XSS attack** via these fields at the URI */cgi-bin/luci/admin/network/firewall/rules*: "**Open ports on router**", "**New forward rule**" and "**New Source NAT**".

An XSS payload has been inserted in */cgi-bin/luci/admin/network/firewall/rules*, in the **New Forward Rule** field.

![](/files/ylEHvKWNkZwt5nnoPKZz)

Then we click on *Edit* to trigger the XSS :\\

![](/files/jLrlT9bjZ7Ya8mriydUk)

This XSS is also present in the **New Forward Rule** and **New Source Nat** fields, as well as in **Traffic Rules Name**.

**CVE-2019-18993 - PoC**

> OpenWrt 18.06.4 is vulnerable to **XSS attack stored** via the "New port forward" field at the URI /cgi-bin/luci/admin/network/firewall/forwards

This XSS payload has been inserted in */cgi-bin/luci/admin/network/firewall/forwards*, in the **New Port Forward** field:

```html
<script>alert("HACKED!");</script>
```

![](/files/8vC3nR66bBNVDsXHkhO4)

By clicking on *Edit*, we trigger the XSS :\\

![](/files/LZoT6WNXZ6LV3VLVptHl)

**CVE-2019-25015 - PoC**

> LuCI in OpenWrt versions **18.06.0 to 18.06.4** contains a **XSS vulnerability stored** via a modified SSID.

An XSS payload was inserted in */cgi-bin/luci/admin/network/wireless/wl0.network1* in the **ESSID** field.

![](/files/yPfgaQBWrkGjy72rwSLB)

Then we click on **Save & Apply,** to trigger the XSS :

![](/files/t0aPQZ04yA95brA4F6yn)

#### Lack of Anti Bruteforce Mechanism

We were able to test a brute force attack on the web application folders with the BurpSuite tool. This one does not implement any anti-bruteforce mechanism.\\

![](/files/q0iE2dgzJtwPEFx8xbs1)

**Command Execution**

There is a page *cgi-bin/luci/admin/iotgoat* on the web service :\\

![](/files/jxbKYuqDWIXC8qyN4rAp)

At the root of **/iotgoat**, we find this *hidden* page:\\

![](/files/oAAt8EKG6hMQczLXMnhG)

This is a **Command Execution** vulnerability, allowing us to access the ash shell as **root** :\\

![](/files/upNfw2a3AYHYCe0uUw3h)

From there, an attacker might be able to **take full control** of the machine.

**DOS - CVE-2019-19945 - PoC**

> uhttpd in OpenWrt versions up to 18.06.5 and 19.x up to 19.07.0-rc2 has an integer signature error. This leads to an out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered by an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.

{% embed url="<https://github.com/mclab-hbrs/openwrt-dos-poc>" %}

#### ⚔️ No 8. Lack of Device Management <a href="#crossed_swords-no-8-lack-of-device-management" id="crossed_swords-no-8-lack-of-device-management"></a>

> Lack of security support on production-deployed devices, including asset management, update management, secure decommissioning, system monitoring and response capabilities.

Logs are not enabled :

![](/files/TREBdo6XMkoxOCNVzHqZ)

In addition, OpenWRT packages are **not updated by default.**

#### ⚔️ No 9: Insecure Default Settings <a href="#crossed_swords-no-9-insecure-default-settings" id="crossed_swords-no-9-insecure-default-settings"></a>

> Devices or systems are shipped with unsecured default settings or lack the ability to make the system more secure by preventing operators from changing configurations.

* Using the default **root** user to log in to the web interface
* UPnp enabled by default and without *secure mode*

![](/files/6CkuhQK8RsteXDxOpXrk)
