Cracking pi-hole passwords
During a recent pentest I came across a
pi-hole instance, which was vulnerable to an authenticated remote code execution exploit.
I didn’t have any credentials at the moment to proceed further and escalate my privileges.
I started digging around the system since I already had local access.
/etc/pihole/setupVars.conf was interesting since it contained the web password hash.
I tried identifying the hash with
Haval-256 are the possible hash types.
I tried cracking the hash using
hashcat with different
sha256 hash modes as listed on https://hashcat.net/wiki/doku.php?id=hashcat but nothing worked.
After a little bit of googling I came across this issue on github: https://github.com/pi-hole/pi-hole/issues/2521 (Insecure password hashing: salt needed).
After reading the comments, I finally understood that passwords are simply hashed twice.
Let’s say “Salman” is the password string, then
pi-hole password hash =
Hmm, interesting so that’s the reason
hashcat couldn’t crack it earlier since it’s hashed twice.
After a bit more of googling, I stumbled upon a tool called mdxfind.
“MDXfind is a program which allows you to run large numbers of unsolved hashes, using many algorithms, against large numbers of plaintext words, very quickly.” - Waffle
Well this is what I need, I downloaded the standalone binary (mdxfind.static)
wget https://www.techsolvency.com/pub/bin/mdxfind/mdxfind.static -O mdxfind && chmod +x mdxfind
I found this blog, that explained the usage of
MDXfind, we know that the hash is not salted from github issue’s comments.
This looks like what we need, but we need to do some slight modifications as below:
Since we don’t know the password string we’ll remove the
echo -n 'Password'from the command and use a wordlist instead.
- We know the hash type so we’ll replace
- We know that it’s not an md5 hash so we’ll remove
- We know that it’s double hashing so we’ll change the number of iterations to 2
- Finally we’ll grep out out password hash
Here’s the final command
./mdxfind -h 'SHA256' -h '!salt,!user' -z -f /dev/null -i 2 stdin 2>&1 /usr/share/wordlists/rockyou.txt | grep 'bccabd84061a09bccc5d3137f045c082dd4181a838f6b5774d8f5265c16cdd69'
BOOM! we cracked the
pi-hole password hash