Try   HackMD

DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

-- RICKROLL --

Description

During a local CTF, there was a challenge that had a VoIP. I interacted with DLINK DPH-400SE running a firmware version of FRU 2.2.15.8. It's basically a VoIP phone and the vendor is DLINK In this writeup. I explain how I was able to uncover yet another vulnerability generally a weakness of the ID 200 : CWE-200, This weakness allowed me to login to the web portal of the device using default guest credentials and read all the SIP authenticated user passwords as well as the administrator's password.

POC

Log in to the portal using the credentials "guest:guest"

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Heading to the maintenance tab, we have the access feature which has an option to modify accounts accessing the devices:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Opening the modify settings, the guest user is able to modify the user, as well as read the password of that user since it's displayed in the input field thus, by right clicking it and clicking "reveal password" it should display the password for the user chosen to be modified by the "Guest" user.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Copy the password logout the portal and use the password to login as the user Admin, and WE ARE IN!

Last changed by 
Tahaa Farooq
SM @ OffSec | お前はもう死んでいる
0
1
6300

Read more

File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Introduction To CryptoHack - Writeup

This starter course gets you up and running with CryptoHack. You'll learn to encode and decode data types that are commonly used in cryptography. Then you'll get comfortable with the XOR operation which is at the centre of symmetric cryptography. Finally, the course ends with some fun XOR puzzles to test what you've learned.

Nov 7, 2024
An Operative Guide To Pentesting The MySQL Service

In this article, I will be writing about how you, as a penetration tester, can leverage access to a MySQL service to gain complete access to the server, read files from the server, and write files to the server. This is achieved by identifying common misconfigurations and settings and exploiting them to achieve the intended goal.

Sep 11, 2024
Reverse Engineering Solar-PuTTY 4.0.0.47

Uploading file..._czud40xt5

Aug 13, 2024
Read more from Tahaa Farooq
Published on HackMD