PogoPlug Mobile

From Exploitee.rs
Revision as of 01:22, 7 February 2016 by Resno (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Pogoplug-mobile.jpg

This page will be dedicated to a general overview, descriptions, and information related to the PogoPlug Mobile.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the PogoPlug Mobile at Amazon

Disassembly

UART

The pin-out for UART can be found on the image below.

GPL

You can find GPL code for the PogoPlug Mobile Here

Gaining Root

The PogoPlug has an open bootloader and its kernel drops to a root shell making this a very open device. On top of that a user is also able to enable a SSHD server if they visit My.PogoPlug.com and enable it. Enabling SSHD not only sets dropbear to start on boot but also forces the user to change the root password. This however is only offered if a user opts to setup SSHD.

This leaves a lot of users with a default root password, but seemingly without any services running that could use it.

Lucky for us a diagnostic page runs on every pogoplug and can be accessed at:

https://IP-OF-POGOPLUG-MOBILE/sqdiag/

This diagnostic pages uses the root credentials as its login/password.

After accessing this diagnostic page you will need to access the hidden command execution portion. This can be access by visiting the following URL:

https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command

After visiting the above URL you should now have an input field that you can enter in any command which will execute with root privileges.

Accessing from CURL The below command will test a PogoPlug for the default login and command execution script. For a quick test substitute COMMANDHERE with reboot.

POC:
curl -k "https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command&command=COMMANDHERE"

Default Root Credentials

Below are the default root credentials for the PogoPlug, these are only changed if a user enables SSHD through the PogoPlug cloud interface.

Username: root

Password: ceadmin

Demo