{"id":371,"date":"2026-01-20T13:33:10","date_gmt":"2026-01-20T05:33:10","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=371"},"modified":"2026-01-29T16:23:56","modified_gmt":"2026-01-29T08:23:56","slug":"371","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2026\/01\/20\/371\/","title":{"rendered":"HTB\u9776\u673a AirTouch \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.129.7.139<\/strong><\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.7.139 (10.129.7.139) 56(84) bytes of data.\n64 bytes from 10.129.7.139: icmp_seq=1 ttl=63 time=239 ms\n64 bytes from 10.129.7.139: icmp_seq=2 ttl=63 time=251 ms\n64 bytes from 10.129.7.139: icmp_seq=3 ttl=63 time=243 ms\n64 bytes from 10.129.7.139: icmp_seq=4 ttl=63 time=351 ms\n\n--- 10.129.7.139 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3003ms\nrtt min\/avg\/max\/mdev = 238.966\/270.672\/350.539\/46.306 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7684\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.98 scan initiated Sun Jan 18 07:36:13 2026 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.7.139\nNmap scan report for 10.129.7.139\nHost is up (0.23s latency).\nNot shown: 65534 closed tcp ports (reset)\nPORT   STATE         SERVICE\n22\/tcp open|filtered ssh\n\n# Nmap done at Sun Jan 18 07:36:39 2026 -- 1 IP address (1 host up) scanned in 26.08 seconds<\/code><\/pre>\n
\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e861<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Jan 18 07:38:44 2026 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.7.139\nNmap scan report for 10.129.7.139\nHost is up (0.24s latency).\nNot shown: 65534 closed tcp ports (conn-refused)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)\n|   256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)\n|_  256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)\nDevice type: general purpose|router\nRunning: Linux 4.X|5.X, MikroTik RouterOS 7.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5 cpe:\/o:mikrotik:routeros:7 cpe:\/o:linux:linux_kernel:5.6.3\nOS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   307.63 ms 10.10.14.1\n2   307.72 ms 10.129.7.139\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jan 18 07:39:24 2026 -- 1 IP address (1 host up) scanned in 40.64 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Jan 18 07:39:50 2026 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.7.139\nWarning: 10.129.7.139 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.7.139\nHost is up (0.23s latency).\nNot shown: 65289 open|filtered udp ports (no-response), 245 closed udp ports (port-unreach)\nPORT    STATE SERVICE\n161\/udp open  snmp\n\n# Nmap done at Sun Jan 18 07:43:54 2026 -- 1 IP address (1 host up) scanned in 244.38 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.98 scan initiated Sun Jan 18 07:45:06 2026 as: \/usr\/lib\/nmap\/nmap -sC -sV -A -sU -p 161 --min-rate 3000 -oN udp_result.txt 10.129.7.139\nNmap scan report for 10.129.7.139\nHost is up (0.24s latency).\n\nPORT    STATE SERVICE VERSION\n161\/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)\n| snmp-sysdescr: \"The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)\"\n|_  System uptime: 2d09h31m23.40s (20708340 timeticks)\n| snmp-info: \n|   enterprise: net-snmp\n|   engineIDFormat: unknown\n|   engineIDData: 8b2467631cf6686900000000\n|   snmpEngineBoots: 1\n|_  snmpEngineTime: 2d09h31m23s\nToo many fingerprints match this host to give specific OS details\nNetwork Distance: 2 hops\nService Info: Host: Consultant\n\nTRACEROUTE (using port 161\/udp)\nHOP RTT       ADDRESS\n1   229.81 ms 10.10.14.1\n2   229.91 ms 10.129.7.139\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jan 18 07:45:15 2026 -- 1 IP address (1 host up) scanned in 9.32 seconds<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u8fd0\u884cUbuntu Linux<\/code>\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5f00\u653e22\/ssh<\/code>\u548c161\/snmp(udp)<\/code>\u670d\u52a1\uff0c\u6839\u636eHackTheBox<\/code>\u9776\u673a\u89c4\u5219\uff0c\u9776\u673a\u4e3b\u57df\u540d\u5e94\u4e3aairtouch.htb<\/code><\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528ssh<\/code>\u5de5\u5177\u8fde\u63a5\u9776\u673a\uff0c\u67e5\u770b\u9776\u673a\u5141\u8bb8\u7684\u767b\u5f55\u65b9\u5f0f\uff1a<\/p>\n
ssh root@airtouch.htb<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673aSSH<\/code>\u670d\u52a1\u5141\u8bb8\u4f7f\u7528\u5bc6\u94a5\u548c\u5bc6\u7801\u767b\u5f55\u3002<\/p>\n
SNMP\u670d\u52a1\uff08UDP-161\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528snmpwalk<\/code>\u5de5\u5177\u8fde\u63a5\u670d\u52a1\u67e5\u770bOID<\/code>\uff1a<\/p>\n
snmpwalk -v2c -c public airtouch.htb .<\/code><\/pre>\n
<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u7528\u6237\u51ed\u636e\uff1a<\/p>\n