Weird cyberwarfare and exploitation of military equipment

2026-02-16

Weird cyberwarfare and exploiting military equipment

Sometimes when night falls and everything feels quiet and liminal, I lie on my bed and ask myself, “What is the weirdest place that I got when pivoting into internal networks?”

There are tons of posts and security researches about IoT devices getting actively exploited, such as cameras and routers, but there is much more weird stuff going on. Cyberwarfare is amazing but sometimes very confusing.

The perfect example

Many people that know me understand that I do red teaming (the reason is never clear for them, but that’s the whole point), but they often imagine me as someone who hacks servers and computers. That happens too, of course, but sometimes everything is different. The perfect example to explain what I feel is to talk about how I managed to get into this thing. I don’t know if the link is going to be valid in the future, so I’m going to write the product description here:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Maintain temperature from 13° to 150°C, with Thermo Scientific™ SC150 Immersion Circulators. This basic model in the new generation of superior quality thermostats features an enhanced digital display and easy–to–use touchpad settings. Easily tune the temperature to meet your specific application requirements.

Designed for ease-of-use and energy efficient with powerful pumping and heating capacities for closed loop applications.

- Max. temperature: 150°C
- Low-liquid level alarm for Safety Class III
- Automatic controller shutdown at detection of excessive high temperature, low liquid level or motor overload
- USB communication port and options for RS-232, RS-485, Ethernet/LAN, Analog I/O
- Self-Tuning PID controller for optimized temperature control
- 5 programmable set point temperatures
- RTA (Real Temperature Adjustment) for calibration
- Two levels of pump speed adjustment to increase flow or bath agitation
- Three languages (English, German, French)
- Change digital display resolution between 0.1 and 0.01 and between °C — °F — °K
- Acoustic and optical alarm
- Auto-Restart feature after power failure

Includes:8mm and 12mm hose barbs with clamp (–0016, –0018, –0011 only), pump plug for external circulation, 6ft. power cord.

Alright, so it’s a temperature control device used in labs to monitor the temperature of liquid material. That can be water or any other liquid chemical. How do I know that I got into that thing? Look at this prompt:

1
root@SC150-F8572E0809E4:/#

When I got access to the device, that was sh prompt. I copied the hostname and pasted it into Google to see what it was. It turned out to be a scientific device. What did I do there? It’s the perfect place to hide my C2 server.

The first thing that I did there was installing Sliver C2 server. Then I port forwarded it. It’s great to see how this little device can handle infected machines. I enabled multiplayer mode (for my fellow hackers), added necessary configuration of “players” (in Sliver C2, a player is a hacker that “plays” with infected zombies/bots) and started controlling devices from there.

Just think about it. In China some scientists experiment with liquid chemicals and in parallel, I’m using their device to run a C2 instance and handle infected machines. I might install my socks4 proxy server later. It would be nice to have a proxy in China too.

Below there is a list of devices that I discovered in the local network:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
root@SC150-F8572E0809E4:/var/log# nmap -sn 192.168.110.0/24
Starting Nmap 7.70 ( https://nmap.org ) at xxxx-xx-xx xx:xx CST
Nmap scan report for 192.168.110.1
Host is up (0.00089s latency).
MAC Address: 4C:49:68:5F:8C:F6 (Unknown)
Nmap scan report for RG-ES118GS-P-E-5167ec.lan (192.168.110.2)
Host is up (0.064s latency).
MAC Address: 70:85:6C:51:67:EC (Unknown)
Nmap scan report for 192.168.110.3
Host is up (0.00055s latency).
MAC Address: 08:3B:C1:C1:F3:F7 (Unknown)
Nmap scan report for 192.168.110.4
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:9D:F6 (Unknown)
Nmap scan report for EAP262E-8BB17A.lan (192.168.110.5)
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:B1:7A (Unknown)
Nmap scan report for 192.168.110.6
Host is up (0.00068s latency).
MAC Address: 08:3B:C1:C1:F4:49 (Unknown)
Nmap scan report for 192.168.110.7
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:AF:D2 (Unknown)
Nmap scan report for EAP262E-8BB316.lan (192.168.110.8)
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:B3:16 (Unknown)
Nmap scan report for EAP262E-8B9822.lan (192.168.110.9)
Host is up (0.0014s latency).
MAC Address: 4C:49:68:8B:98:22 (Unknown)
Nmap scan report for EAP262E-8BB11E.lan (192.168.110.10)
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:B1:1E (Unknown)
Nmap scan report for 192.168.110.11
Host is up (-0.13s latency).
MAC Address: 4C:49:68:8B:98:B2 (Unknown)
Nmap scan report for EAP262E-8B9DC6.lan (192.168.110.12)
Host is up (0.0013s latency).
MAC Address: 4C:49:68:8B:9D:C6 (Unknown)
Nmap scan report for EAP262E-8B9F66.lan (192.168.110.13)
Host is up (-0.100s latency).
MAC Address: 4C:49:68:8B:9F:66 (Unknown)
Nmap scan report for 192.168.110.14
Host is up (-0.100s latency).
MAC Address: 4C:49:68:8B:95:CA (Unknown)
Nmap scan report for EAP262E-8B95CE.lan (192.168.110.15)
Host is up (-0.100s latency).
MAC Address: 4C:49:68:8B:95:CE (Unknown)
Nmap scan report for 192.168.110.16
Host is up (-0.10s latency).
MAC Address: 08:3B:C1:F1:10:AB (Unknown)
Nmap scan report for 192.168.110.17
Host is up (-0.100s latency).
MAC Address: 4C:49:68:8B:B4:9E (Unknown)
Nmap scan report for EAP662G-59AFB4.lan (192.168.110.18)
Host is up (-0.100s latency).
MAC Address: 70:85:6C:59:AF:B4 (Unknown)
Nmap scan report for EAP262E-8BE34A.lan (192.168.110.19)
Host is up (-0.10s latency).
MAC Address: 4C:49:68:8B:E3:4A (Unknown)
Nmap scan report for 192.168.110.20
Host is up (-0.100s latency).
MAC Address: 70:85:6C:59:B2:3C (Unknown)
Nmap scan report for 192.168.110.21
Host is up (-0.10s latency).
MAC Address: 08:3B:C1:C1:F4:2A (Unknown)
Nmap scan report for 192.168.110.24
Host is up (-0.10s latency).
MAC Address: 08:3B:C1:F1:10:75 (Unknown)
Nmap scan report for 192.168.110.25
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:04:38 (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.26
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:03:9C (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.27
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:04:3B (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.28
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:04:39 (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.29
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:03:9D (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.30
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:04:3A (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.31
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:03:9E (Ultra Electronics Command & Control Systems)
Nmap scan report for 192.168.110.32
Host is up (-0.10s latency).
MAC Address: 00:E0:6C:36:03:9F (Ultra Electronics Command & Control Systems)
Nmap scan report for Nice-ITP.lan (192.168.110.33)
Host is up (-0.13s latency).
MAC Address: F8:57:2E:08:6B:BA (Core Brands)
Nmap scan report for RG-ES205GC-P-7186CC.lan (192.168.110.35)
Host is up (-0.10s latency).
MAC Address: 9C:CE:88:71:86:CC (Unknown)
Nmap scan report for EAP262E-8B98B6.lan (192.168.110.36)
Host is up (-0.11s latency).
MAC Address: 4C:49:68:8B:98:B6 (Unknown)
Nmap scan report for RG-ES205GC-P-6B89D8.lan (192.168.110.37)
Host is up (0.0035s latency).
MAC Address: 4C:49:68:6B:89:D8 (Unknown)
Nmap scan report for 192.168.110.40
Host is up (0.0019s latency).
MAC Address: 88:DE:39:C6:0E:F3 (Unknown)
Nmap scan report for Samsung.lan (192.168.110.42)
Host is up (0.0029s latency).
MAC Address: B0:F2:F6:CD:A9:BC (Unknown)
Nmap scan report for PandoraX.lan (192.168.110.43)
Host is up (0.00034s latency).
MAC Address: AC:BB:61:DA:82:99 (YSTen Technology)
Nmap scan report for RG-ES118GS-P-E-516923.lan (192.168.110.49)
Host is up (-0.10s latency).
MAC Address: 70:85:6C:51:69:23 (Unknown)
Nmap scan report for 192.168.110.51
Host is up (-0.11s latency).
MAC Address: 88:DE:39:3D:B4:2F (Unknown)
Nmap scan report for 192.168.110.58
Host is up (-0.100s latency).
MAC Address: 88:DE:39:3D:B4:36 (Unknown)
Nmap scan report for EAP662G-791636.lan (192.168.110.61)
Host is up (-0.15s latency).
MAC Address: 70:85:6C:79:16:36 (Unknown)
Nmap scan report for RG-ES205GC-P-8F0D68.lan (192.168.110.64)
Host is up (0.0047s latency).
MAC Address: 4C:49:68:8F:0D:68 (Unknown)
Nmap scan report for Nice-ITP.lan (192.168.110.65)
Host is up (-0.15s latency).
MAC Address: F8:57:2E:08:5F:FE (Core Brands)
Nmap scan report for EAP262E-8B9DAA.lan (192.168.110.66)
Host is up (-0.15s latency).
MAC Address: 4C:49:68:8B:9D:AA (Unknown)
Nmap scan report for 192.168.110.67
Host is up (0.062s latency).
MAC Address: 2A:B1:85:91:20:B7 (Unknown)
Nmap scan report for EAP262E-8B98F6.lan (192.168.110.69)
Host is up (0.00056s latency).
MAC Address: 4C:49:68:8B:98:F6 (Unknown)
Nmap scan report for Hi3798MV300.lan (192.168.110.75)
Host is up (0.00051s latency).
MAC Address: 54:C5:7A:6F:B6:46 (Sunnovo International Limited)
Nmap scan report for 004301FF0001061005B760D21C09B2CB.lan (192.168.110.76)
Host is up (0.00058s latency).
MAC Address: 60:D2:1C:09:B2:CB (Sunnovo International Limited)
Nmap scan report for iPad.lan (192.168.110.81)
Host is up (0.010s latency).
MAC Address: 02:42:53:3E:CE:FD (Unknown)
Nmap scan report for roborock-vacuum-a225.lan (192.168.110.87)
Host is up (-0.082s latency).
MAC Address: 24:9E:7D:82:D9:8A (Unknown)
Nmap scan report for roborock-vacuum-a225.lan (192.168.110.89)
Host is up (0.0071s latency).
MAC Address: 24:9E:7D:82:E5:32 (Unknown)
Nmap scan report for EAP262E-8BBC6E.lan (192.168.110.90)
Host is up (0.00055s latency).
MAC Address: 4C:49:68:8B:BC:6E (Unknown)
Nmap scan report for MIZ-BD00.lan (192.168.110.93)
Host is up (0.086s latency).
MAC Address: C2:77:2A:AE:04:26 (Unknown)
Nmap scan report for Mac.lan (192.168.110.94)
Host is up (0.0064s latency).
MAC Address: 32:02:8F:94:11:EC (Unknown)
Nmap scan report for roborock-vacuum-a225.lan (192.168.110.97)
Host is up (0.0098s latency).
MAC Address: 24:9E:7D:82:E5:3F (Unknown)
Nmap scan report for 192.168.110.150
Host is up (-0.13s latency).
MAC Address: 4E:22:08:02:52:61 (Unknown)
Nmap scan report for 192.168.110.151
Host is up (-0.13s latency).
MAC Address: 4E:22:08:02:55:49 (Unknown)
Nmap scan report for 192.168.110.152
Host is up (-0.13s latency).
MAC Address: 4E:26:01:07:00:82 (Unknown)
Nmap scan report for 192.168.110.199
Host is up (-0.10s latency).
MAC Address: 4E:25:04:08:37:56 (Unknown)
Nmap scan report for 192.168.110.200
Host is up (-0.100s latency).
MAC Address: 4E:25:10:14:50:75 (Unknown)
Nmap scan report for 192.168.110.201
Host is up (-0.10s latency).
MAC Address: 4E:25:06:13:00:79 (Unknown)
Nmap scan report for 192.168.110.202
Host is up (0.00019s latency).
MAC Address: 4E:26:01:07:00:88 (Unknown)
Nmap scan report for 192.168.110.203
Host is up (-0.13s latency).
MAC Address: 4E:25:06:13:00:35 (Unknown)
Nmap scan report for 192.168.110.204
Host is up (0.00021s latency).
MAC Address: 4E:26:01:07:00:75 (Unknown)
Nmap scan report for 192.168.110.206
Host is up (-0.13s latency).
MAC Address: 4E:25:10:14:50:84 (Unknown)
Nmap scan report for 192.168.110.207
Host is up (-0.13s latency).
MAC Address: 4E:25:10:14:51:01 (Unknown)
Nmap scan report for 192.168.110.208
Host is up (-0.13s latency).
MAC Address: 4E:25:10:14:50:90 (Unknown)
Nmap scan report for 192.168.110.209
Host is up (-0.13s latency).
MAC Address: 4E:25:10:14:50:52 (Unknown)
Nmap scan report for 192.168.110.210
Host is up (-0.13s latency).
MAC Address: 4E:26:01:07:09:05 (Unknown)
Nmap scan report for 192.168.110.211
Host is up (0.00050s latency).
MAC Address: 4E:22:08:02:56:74 (Unknown)
Nmap scan report for 192.168.110.212
Host is up (-0.10s latency).
MAC Address: 4E:25:10:15:52:57 (Unknown)
Nmap scan report for 192.168.110.213
Host is up (-0.13s latency).
MAC Address: 4E:25:04:07:35:37 (Unknown)
Nmap scan report for 192.168.110.229
Host is up (0.010s latency).
MAC Address: 0C:11:05:35:44:00 (Akuvox (xiamen) Networks)
Nmap scan report for 192.168.110.232
Host is up (-0.13s latency).
MAC Address: 4E:25:10:14:51:10 (Unknown)
Nmap scan report for 192.168.110.233
Host is up (-0.13s latency).
MAC Address: 4E:25:10:15:52:56 (Unknown)
Nmap scan report for 192.168.110.250
Host is up (-0.11s latency).
MAC Address: 4E:22:06:29:02:03 (Unknown)
Nmap scan report for 192.168.110.251
Host is up (-0.13s latency).
MAC Address: 1C:00:8A:45:57:63 (Unknown)
Nmap scan report for 192.168.110.252
Host is up (-0.10s latency).
MAC Address: 00:06:78:DC:04:CA (D&M Holdings)
Nmap scan report for 192.168.110.245
Host is up.
Nmap done: 256 IP addresses (79 hosts up) scanned in 7.23 second

The most important thing here is Ultra Electronics Command & Control Systems. Of course, I looked it up to see what it was. I think you should check their website. Well, it turned out to be a military-grade communication system. They offer military-grade drones and even satellites. I had to scan them all. Below there is a detailed scan report about those military devices:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
Starting Nmap 7.70 ( https://nmap.org ) at xxxx-xx-xx xx:xx CST
Nmap scan report for 192.168.110.26
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE    VERSION
443/tcp   open  ssl/http   Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=www.linkplay.com/organizationName=linkplay/stateOrProvinceName=Shanghai/countryName=CN
| Not valid before: 2018-11-14T12:24:18
|_Not valid after:  2028-11-11T12:24:18
8899/tcp  open  tcpwrapped
49152/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 404 Not Found
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 48
|     CONTENT-TYPE: text/html
|     <html><body><h1>404 Not Found</h1></body></html>
|   HTTPOptions:
|     HTTP/0.0 501 Not Implemented
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 54
|     CONTENT-TYPE: text/html
|_    <html><body><h1>501 Not Implemented</h1></body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49152-TCP:V=7.70%I=7%D=2/16%Time=69922B58%P=aarch64-unknown-linux-g
SF:nu%r(FourOhFourRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCONNECTI
SF:ON:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTENT-LENGTH:\x204
SF:8\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>404\x20Not\x20Fo
SF:und</h1></body></html>")%r(GetRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Fo
SF:und\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTE
SF:NT-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>4
SF:04\x20Not\x20Found</h1></body></html>")%r(HTTPOptions,B2,"HTTP/0\.0\x20
SF:501\x20Not\x20Implemented\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Li
SF:nux/4\.9\.118\r\nCONTENT-LENGTH:\x2054\r\nCONTENT-TYPE:\x20text/html\r\
SF:n\r\n<html><body><h1>501\x20Not\x20Implemented</h1></body></html>");
MAC Address: 00:E0:6C:36:03:9C (Ultra Electronics Command & Control Systems)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.52 ms 192.168.110.26

Nmap scan report for 192.168.110.27
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
443/tcp   open  ssl/http   Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=www.linkplay.com/organizationName=linkplay/stateOrProvinceName=Shanghai/countryName=CN
| Not valid before: 2018-11-14T12:24:18
|_Not valid after:  2028-11-11T12:24:18
7000/tcp  open  rtsp
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.1 404 Not Found
|     Content-Length: 0
|     Server: AirTunes/366.0
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|   RTSPRequest:
|     RTSP/1.0 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|   SIPOptions:
|     RTSP/1.0 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|_    CSeq: 42 OPTIONS
|_irc-info: Unable to open connection
|_rtsp-methods: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
8899/tcp  open  tcpwrapped
49152/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 404 Not Found
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 48
|     CONTENT-TYPE: text/html
|     <html><body><h1>404 Not Found</h1></body></html>
|   HTTPOptions:
|     HTTP/0.0 501 Not Implemented
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 54
|     CONTENT-TYPE: text/html
|_    <html><body><h1>501 Not Implemented</h1></body></html>
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7000-TCP:V=7.70%I=7%D=2/16%Time=69922B6C%P=aarch64-unknown-linux-gn
SF:u%r(GetRequest,45,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Length:\
SF:x200\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(HTTPOptions,8C,"HTTP/1\.
SF:1\x20200\x20OK\r\nPublic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x
SF:20FLUSH,\x20FLUSHBUFFERED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x2
SF:0PUT\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(RTSPRequest,8C,"RTSP/1\.
SF:0\x20200\x20OK\r\nPublic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x
SF:20FLUSH,\x20FLUSHBUFFERED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x2
SF:0PUT\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(FourOhFourRequest,45,"HT
SF:TP/1\.1\x20404\x20Not\x20Found\r\nContent-Length:\x200\r\nServer:\x20Ai
SF:rTunes/366\.0\r\n\r\n")%r(SIPOptions,9E,"RTSP/1\.0\x20200\x20OK\r\nPubl
SF:ic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x20FLUSH,\x20FLUSHBUFFE
SF:RED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x20PUT\r\nServer:\x20Air
SF:Tunes/366\.0\r\nCSeq:\x2042\x20OPTIONS\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port49152-TCP:V=7.70%I=7%D=2/16%Time=69922B58%P=aarch64-unknown-linux-g
SF:nu%r(FourOhFourRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCONNECTI
SF:ON:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTENT-LENGTH:\x204
SF:8\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>404\x20Not\x20Fo
SF:und</h1></body></html>")%r(GetRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Fo
SF:und\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTE
SF:NT-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>4
SF:04\x20Not\x20Found</h1></body></html>")%r(HTTPOptions,B2,"HTTP/0\.0\x20
SF:501\x20Not\x20Implemented\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Li
SF:nux/4\.9\.118\r\nCONTENT-LENGTH:\x2054\r\nCONTENT-TYPE:\x20text/html\r\
SF:n\r\n<html><body><h1>501\x20Not\x20Implemented</h1></body></html>");
MAC Address: 00:E0:6C:36:04:3B (Ultra Electronics Command & Control Systems)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.60 ms 192.168.110.27

Nmap scan report for 192.168.110.28
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE    VERSION
443/tcp   open  ssl/http   Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=www.linkplay.com/organizationName=linkplay/stateOrProvinceName=Shanghai/countryName=CN
| Not valid before: 2018-11-14T12:24:18
|_Not valid after:  2028-11-11T12:24:18
7000/tcp  open  rtsp
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.1 404 Not Found
|     Content-Length: 0
|     Server: AirTunes/366.0
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|   RTSPRequest:
|     RTSP/1.0 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|   SIPOptions:
|     RTSP/1.0 200 OK
|     Public: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
|     Server: AirTunes/366.0
|_    CSeq: 42 OPTIONS
|_irc-info: Unable to open connection
|_rtsp-methods: ANNOUNCE, SETUP, RECORD, PAUSE, FLUSH, FLUSHBUFFERED, TEARDOWN, OPTIONS, POST, GET, PUT
8899/tcp  open  tcpwrapped
49152/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 404 Not Found
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 48
|     CONTENT-TYPE: text/html
|     <html><body><h1>404 Not Found</h1></body></html>
|   HTTPOptions:
|     HTTP/0.0 501 Not Implemented
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 54
|     CONTENT-TYPE: text/html
|_    <html><body><h1>501 Not Implemented</h1></body></html>
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7000-TCP:V=7.70%I=7%D=2/16%Time=69922B6C%P=aarch64-unknown-linux-gn
SF:u%r(GetRequest,45,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Length:\
SF:x200\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(HTTPOptions,8C,"HTTP/1\.
SF:1\x20200\x20OK\r\nPublic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x
SF:20FLUSH,\x20FLUSHBUFFERED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x2
SF:0PUT\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(RTSPRequest,8C,"RTSP/1\.
SF:0\x20200\x20OK\r\nPublic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x
SF:20FLUSH,\x20FLUSHBUFFERED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x2
SF:0PUT\r\nServer:\x20AirTunes/366\.0\r\n\r\n")%r(FourOhFourRequest,45,"HT
SF:TP/1\.1\x20404\x20Not\x20Found\r\nContent-Length:\x200\r\nServer:\x20Ai
SF:rTunes/366\.0\r\n\r\n")%r(SIPOptions,9E,"RTSP/1\.0\x20200\x20OK\r\nPubl
SF:ic:\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20PAUSE,\x20FLUSH,\x20FLUSHBUFFE
SF:RED,\x20TEARDOWN,\x20OPTIONS,\x20POST,\x20GET,\x20PUT\r\nServer:\x20Air
SF:Tunes/366\.0\r\nCSeq:\x2042\x20OPTIONS\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port49152-TCP:V=7.70%I=7%D=2/16%Time=69922B58%P=aarch64-unknown-linux-g
SF:nu%r(FourOhFourRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCONNECTI
SF:ON:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTENT-LENGTH:\x204
SF:8\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>404\x20Not\x20Fo
SF:und</h1></body></html>")%r(GetRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Fo
SF:und\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTE
SF:NT-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>4
SF:04\x20Not\x20Found</h1></body></html>")%r(HTTPOptions,B2,"HTTP/0\.0\x20
SF:501\x20Not\x20Implemented\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Li
SF:nux/4\.9\.118\r\nCONTENT-LENGTH:\x2054\r\nCONTENT-TYPE:\x20text/html\r\
SF:n\r\n<html><body><h1>501\x20Not\x20Implemented</h1></body></html>");
MAC Address: 00:E0:6C:36:04:39 (Ultra Electronics Command & Control Systems)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.57 ms 192.168.110.28

Nmap scan report for 192.168.110.29
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE    VERSION
443/tcp   open  ssl/http   Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=www.linkplay.com/organizationName=linkplay/stateOrProvinceName=Shanghai/countryName=CN
| Not valid before: 2018-11-14T12:24:18
|_Not valid after:  2028-11-11T12:24:18
8899/tcp  open  tcpwrapped
49152/tcp open  unknown
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 404 Not Found
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 48
|     CONTENT-TYPE: text/html
|     <html><body><h1>404 Not Found</h1></body></html>
|   HTTPOptions:
|     HTTP/0.0 501 Not Implemented
|     CONNECTION: keep-alive
|     SERVER: Linux/4.9.118
|     CONTENT-LENGTH: 54
|     CONTENT-TYPE: text/html
|_    <html><body><h1>501 Not Implemented</h1></body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49152-TCP:V=7.70%I=7%D=2/16%Time=69922B58%P=aarch64-unknown-linux-g
SF:nu%r(FourOhFourRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCONNECTI
SF:ON:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTENT-LENGTH:\x204
SF:8\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>404\x20Not\x20Fo
SF:und</h1></body></html>")%r(GetRequest,A6,"HTTP/1\.0\x20404\x20Not\x20Fo
SF:und\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Linux/4\.9\.118\r\nCONTE
SF:NT-LENGTH:\x2048\r\nCONTENT-TYPE:\x20text/html\r\n\r\n<html><body><h1>4
SF:04\x20Not\x20Found</h1></body></html>")%r(HTTPOptions,B2,"HTTP/0\.0\x20
SF:501\x20Not\x20Implemented\r\nCONNECTION:\x20keep-alive\r\nSERVER:\x20Li
SF:nux/4\.9\.118\r\nCONTENT-LENGTH:\x2054\r\nCONTENT-TYPE:\x20text/html\r\
SF:n\r\n<html><body><h1>501\x20Not\x20Implemented</h1></body></html>");
MAC Address: 00:E0:6C:36:03:9D (Ultra Electronics Command & Control Systems)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.50 ms 192.168.110.29

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 4 IP addresses (4 hosts up) scanned in 419.94 seconds

Great things… In the scan report you can see that it shows 403 Forbidden. It’s logical that military devices must be protected from unauthorized personnel. I would love to do a full penetration test here; I would take at least 2M U.S. dollars from them, but unfortunately I am an evil guy. 49152 port returns SERVER header is a huge mistake. I can see the exact Linux version.

Those devices have critical vulnerabilities:

  1. Boa has Basic Authentication Bypass via HEAD request.
  2. Linux/4.9.118 has a problem. Bluetooth can be abused CVE-2023-28464.
  3. There might be an SQL injection vulnerability on /preauth/logic.cgi?realm=xxx endpoint.

Basic Authentication bypass

The problem is within Boa source code. The server never checks the authentication for HEAD requests. Let’s analyze the code. In request.c file, there is a function called process_logline:

1
int process_logline(request* req);

This part of the function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
req->logline = req->client_stream;
if (!memcmp(req->logline, "GET ", 4))
    req->method = M_GET;
else if (!memcmp(req->logline, "HEAD ", 5))
    /* head is just get w/no body */
    req->method = M_HEAD;
else if (!memcmp(req->logline, "POST ", 5))
    req->method = M_POST;
else {
    log_error_time();
    fprintf(stderr, "malformed request: \"%s\"\n", req->logline);
    send_r_not_implemented(req);
    return 0;
}

says that HEAD request is going to be treated as GET request. Understandable, but later this assumption is going to cause an error. The developer forgets to check the authentication for HEAD request. For example, if /protected endpoint must be requested with Authentication header, GET request won’t work if it is not authenticated. On the other hand, if the attacker sends HEAD request on /protected endpoint without Basic Authentication, the server will treat the attacker as an authenticated user.

To be honest, I thought their network would be more protected. Putting everything in the same subnet prevents every security mechanism from working properly. Even if they need to experiment with different chemicals and store military equipment at the same time, they should at least use different VLANs and subnets. Personally, I would place military devices in an air-gapped network.

CVE-2023-28464

I downloaded Linux source code to view the problem. Inside /net/bluetooth/hci_conn.c file, there is static void hci_conn_cleanup(struct hci_conn *conn) function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
static void hci_conn_cleanup(struct hci_conn *conn)
{
    struct hci_dev *hdev = conn->hdev;
   
    if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
        hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);

    hci_chan_list_flush(conn);

    hci_conn_hash_del(hdev, conn);

    if (hdev->notify)
        hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);

    hci_conn_del_sysfs(conn);

    debugfs_remove_recursive(conn->debugfs);

    hci_dev_put(hdev);

    hci_conn_put(conn);
}

This vulnerability is double-free or use-after-free one inside Linux Bluetooth Stack. Basically, this function calls hci_dev_put and hci_conn_put after hci_conn_del_sysfs. Note that hci_conn_del_sysfs already deleted conn object. In parameters, conn is a pointer, so it was not passed as just a value. The original object was deallocated. After freeing the object, hci_conn_cleanup still uses conn object on the last line. This has two possibilities:

  1. The Bluetooth will crash. That’s Dos (denial of service).
  2. Privilege escalation to root user will happen.

This can happen because of overwriting kernel heap objects and function pointers. To be honest, I don’t know which one will be triggered. Another problem is that the device that I broke into does not have Bluetooth support. That’s not a problem. Exploiting kernel vulnerability is not a good choice when there is a chance that it’ll crash. There is no recovery from a crash in kernel space. For example, if a user-mode process crashed, the kernel can always handle it, but when the kernel crashes, there is nothing that can handle that. So, the whole device shuts down. To avoid that, I’m not going to take the risk. Instead, I’ll exploit Boa, find a vulnerability that allows me to upload a web shell or reverse shell (even better). After I do that, I’ll just use linpeas.sh to find local privilege escalation vulnerabilities and exploit them. That’s how I’ll get root there.

Summary

The whole point of this post is to demonstrate how weird hacking can become. From doing simple enumeration on HTB boxes to exploiting military devices from a water temperature controller. That transition is very funny to me.

RELATED POSTS
How I developed x64 reverse shell shellcode
How I developed x64 reverse shell shellcodeToday I was thinking about how many penetration testers use prebuilt implants...
Shellcode Feb 03 9 min
Attacking Russian scam website (Part I)
Attacking Russian scam website (Part I)I know a guy who lives in the U.S., and he told me that he received a suspicious ...
Attacking Nov 07 11 min
How I exploited Intel's Active Management Technology in China
How I exploited Intel’s Active Management Technology in ChinaIn previous blog, I talked about how I managed to exploit t...
Attacking Dec 02 6 min
How I hacked Russian guy with ADB Shell
How I hacked Russian guy with ADB ShellEveryone knows how the internet works. If you have anything open, you’ll most lik...
Attacking Dec 01 17 min
Incompetent people and Low-level programming
Incompetent people and Low-level programmingI know people who are very competent in the cybersecurity field, like me, bu...
RandomTalk Feb 18 12 min
Implementing Hill Cipher for data encryption
Implementing Hill Cipher in C++Everyone knows that encryption&#x2F;decryption is very important when writing malware. Th...
HillCipher Nov 16 14 min
View More Posts