The first one is the HTTP server on port 80. We can see in the following screenshot from a curl request that it’s running a really cool service called Pi-hole:

Next, I take a quick look at the HTTP service on port 32400. We can see it has Plex media server running and we are prompted with a login screen:

Exploitation

First thing I do is quickly firing a brute-force attack against the target SSH using hydra so it runs in the background.

After reading the docs for the Pi-hole I found out there’s an admin UI interface on http://10.10.10.48/admin

But the default password generated by Pi-hole is really hard to guess. So this path is a dead end.

While reading the docs I checked the hydra brute-force has found a valid credential for the SSH. Turned out to be the default user and password from the raspbian install and we have a foothold in the system!