misc

RealWorld

Travelling is always good

淮安市晟源酒店

国家电网电力招待所,淮安电力大厦旁边

hotel_img

After dinner, we go back to the hotel. The TV doesn’t work for some reason. I notice that the wifi maybe somewhat vulnerable and I have nothing to do in this several hours. So I give it a try.

Network scanning

after connected with the wifi, ifconfig | grep inet to get the ipv4 address

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ifconfig | grep inet
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet6 fe80::aede:48ff:fe00:1122%en4 prefixlen 64 scopeid 0x4
	inet6 fe80::347d:daff:fe9f:bb1f%ap1 prefixlen 64 scopeid 0x5
	inet6 fe80::8a7:53cc:308a:2dfc%en0 prefixlen 64 secured scopeid 0x6
	inet 192.168.41.107 netmask 0xffffff00 broadcast 192.168.41.255
	inet6 fe80::24dd:f9ff:fef7:612%awdl0 prefixlen 64 scopeid 0x7
	inet6 fe80::24dd:f9ff:fef7:612%llw0 prefixlen 64 scopeid 0x8
	inet6 fe80::123a:35a1:1607:fc62%utun0 prefixlen 64 scopeid 0xc
	inet6 fe80::e752:ae73:20c:35d2%utun1 prefixlen 64 scopeid 0xd
	inet6 fe80::ce81:b1c:bd2c:69e%utun2 prefixlen 64 scopeid 0xe

fire up nmap and do a quick scan in this network

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ nmap 192.168.41.107/24
Nmap scan report for 192.168.41.1
Host is up (0.0083s latency).
Not shown: 969 closed tcp ports (conn-refused), 29 filtered tcp ports (no-response)
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

Nmap scan report for 192.168.41.100
Host is up (0.0081s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE
6000/tcp open  X11

Nmap scan report for 192.168.41.107
Host is up (0.000078s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE
5000/tcp open  upnp
7000/tcp open  afs3-fileserver

Nmap done: 256 IP addresses (3 hosts up) scanned in 59.80 seconds

We see http on 80 and DNS on 53, we can guess that this is the router

(Also we can see a X11 on 6000 in 192.168.41.100, about X11 there are also lots of test can play with, but I don’t have kali on my computer and I don’t want to install those tools on my Mac)

Login

empty

The page looks empty, and curl returns 302, make me think there is some protection. It turns out that there is some protection, but is done quite poorly.

css

Are you fucking kidding me ? Make the page unviewable by using css ?

Then just remove the css

show

Then we have a login page, no CAPTCHA, so we can do a brute force, but I hate guessing. Thanks to the developer to write some readable javascript code to encourage me to continue.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

	var loginCount=0;
	var xmlhttp;
	function check(){
		if(window.XMLHttpRequest){
			xmlhttp= new XMLHttpRequest();
		}else{
			xmlhttp= new AxtiveXObject("Microsoft.XMLHTTP");
		}
		xmlhttp.onreadystatechange=clback;
		user="user="+document.getElementById("user").value;
		pwd="pwd="+document.getElementById("pwd").value;
		
		xmlhttp.open("post","/boafrm/formAwifilogin?"+user+"&"+pwd);//提交验证
		xmlhttp.send();
	}
	function clback(){
		if(xmlhttp.readyState == 4){
			var text=xmlhttp.responseText;
			if("0"==text){
				var countfont = "验证失败,剩余输入次数为:";
				var countnext = 2 - loginCount;
				var all = countfont + countnext;
				document.getElementById("errorcount").innerHTML = all;
				document.getElementById("error").style.display = "block";
				if(loginCount>=2){
					sAlert(); 
				}
				loginCount=(loginCount+1)%3;
			}else{
				document.cookie="authflag="+text+"-0";
				window.location.href='/home.htm';//正确登录后页面跳转至
			}
		}
	}
	
	function sAlert() 
	{ 
	var msgw,msgh,bordercolor; 
	msgw=400;//提示窗口的宽度 
	msgh=100;//提示窗口的高度 
	titleheight=25 //提示窗口标题高度 
	bordercolor="#336699";//提示窗口的边框颜色 
	titlecolor="#99CCFF";//提示窗口的标题颜色 
	var sWidth,sHeight; 
	sWidth=document.body.offsetWidth;//获取窗口宽度 
	sHeight=screen.height;//获取屏幕高度 
	var bgObj=document.createElement("div");//关键在这里,原理:在body中创建一个div,并将其宽度与高度设置为覆盖整个窗体,如此一来就无法对其它窗口时行操作 
	bgObj.setAttribute('id','bgDiv'); 
	bgObj.style.position="absolute"; 
	bgObj.style.top="0"; 
	bgObj.style.background="#777"; 
	bgObj.style.filter="progid:DXImageTransform.Microsoft.Alpha(style=3,opacity=25,finishOpacity=75"; 
	bgObj.style.opacity="0.6"; 
	bgObj.style.left="0"; 
	bgObj.style.width=sWidth + "px"; 
	bgObj.style.height=sHeight + "px"; 
	bgObj.style.zIndex = "10000"; 
	document.body.appendChild(bgObj);//设置完此div后将其显示出来 
	var msgObj=document.createElement('div');//创建一个消息窗口 
	msgObj.setAttribute("id","msgDiv"); 
	msgObj.setAttribute("align","center"); 
	msgObj.style.background="white"; 
	msgObj.style.border="1px solid " + bordercolor; 
	msgObj.style.position = "absolute"; 
	msgObj.style.left = "50%"; 
	msgObj.style.top = "50%"; 
	msgObj.style.font="12px/1.6em Verdana, Geneva, Arial, Helvetica, sans-serif"; 
	msgObj.style.marginLeft = "-225px" ; 
	msgObj.style.marginTop = -75+document.documentElement.scrollTop+"px"; 
	msgObj.style.width = msgw+"px"; 
	msgObj.style.height = msgh+"px"; 
	msgObj.style.textAlign = "center"; 
	msgObj.style.lineHeight ="25px"; 
	msgObj.style.zIndex = "10001"; 
	var title=document.createElement("h4"); //创建一个标题,以备放置在消息层 
	title.setAttribute("id","msgTitle"); 
	title.setAttribute("align","right"); 
	title.style.margin="0"; 
	title.style.padding="3px"; 
	title.style.background=bordercolor; 
	title.style.filter="progid:DXImageTransform.Microsoft.Alpha(startX=20, startY=20, finishX=100, finishY=100,style=1,opacity=75,finishOpacity=100);"; 
	title.style.opacity="0.75"; 
	title.style.border="1px solid " + bordercolor; 
	title.style.height="18px"; 
	title.style.font="12px Verdana, Geneva, Arial, Helvetica, sans-serif"; 
	title.style.color="white"; 
	title.style.cursor="pointer"; 
	document.body.appendChild(msgObj); 
	document.getElementById("msgDiv").appendChild(title); 
	var txt=document.createElement("p"); 
	txt.style.margin="1em 0" 
	txt.setAttribute("id","msgTxt"); 
	txt.innerHTML="密码输入尝试次数过多,系统锁屏1分钟,请稍后再试!"; 
	document.getElementById("msgDiv").appendChild(txt);
	
	setTimeout( function(){
	document.body.removeChild(bgObj);//移除覆盖整个窗口的div层 
	document.getElementById("msgDiv").removeChild(title);//移除标题 
	document.body.removeChild(msgObj);//移除消息层 
	}, 60 * 1000 ); 		
	}
	
document.onkeydown=function(event)
   {
       e = event ? event :(window.event ? window.event : null);
       var currKey=0;
       currKey=e.keyCode||e.which||e.charCode;
       if(currKey==13){
            check();
       }
   };

They try to do something to prevent brute force, but do it in front end via javascript ? Doom to failure.

We can modify the code to enable brute force, but that is not quite useful, I hate guessing. And the password is not the default one.

N-day

So let’s perform some research. I also notice that the login is actually depend on the cookie, if we have the text returned by the server(router), we can set the cookie and login successfully.

But I cannot decide what text is. This is also a brute force point, but again, not fan of guessing game.

I only need to know the cookie value, someone must have done this before.

cve

look at that, full of this, 100% identical.

We even have an exploit written for us

Also manually modify the cookie is also OK.

(The text is just simple 1, WTF😬)

Try to get shell

We can see some file upload function in the admin panel. A firmware update is also possible.

success

Then we can try to upload a php RCE payload, or modify a valid firmware to perform a malicious firmware update to get RCE. Since I do not have AntSword by my side and I do not want to get trouble and be in jail, I just leave it.

Conclusion

Here is the real value

  1. In real world, if you want to hack something or someone, N-day is the most efficient way to get the job done.(And also the social engineering) 0-day is costy, very time-consuming and may screw up your motivation.

  2. Security in real world is really an engineering problem. It is not build something new, bring some innovation ideas, it is about find the failure of some developers, not quite ‘advanced’ tech.

  3. So only security research matters, only new ways of attack, new types of failure matters. (So I would like to quit and be a developer😅) Learn more about the theory, how to attack through a new way ? how to make tools make engineering more efficient ? (build the fuzzing framework etc) How 0-days are found ?(Not those ‘same knowledge apply to different scenarior’ bugs but really ‘new way to attack’/‘new type of bug’) Knowling the fundamental, attack it through a practical theoratical way. Base on the theory, do your innovation, what if I do something that no one has done ? What if I do Z instead of X and Y ? Will the theory fail ?

  4. We should love new stuff. More opportunity, less competitor. And the most important, new theory, new system architure. They are less reviewed and studied. They are more likely to fail.

  5. Don’t do labor-intense job, except it makes a lot of money.(or you really need money) You can learn stuff, practic stuff(ensure you understand it, make sure you really have the ability to make you idea come true, this is not labor-intense!💻), create stuff, never be constrainted by your past knowledge, build on them.

  6. RealWorld is good because it is real. You got motivated. You will get reward.