In this post, I would like to share a walkthrough of the Wifinetic Machine from Hack the Box
This room will be considered a Easy machine on Hack the Box
Information Gathering on Wifinetic Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/wifinetic]
└──╼ $ nmap -sV -sC 10.10.11.247 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-14 23:23 EDT
Nmap scan report for 10.10.11.247
Host is up (0.20s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.93
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
53/tcp open tcpwrapped
15003/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/wifinetic]
└──╼ $
However, there are no port 80 been found on the nmap output
Let’s access the machine via FTP service.
There is a few file that been stored in the directory
Therefore, let’s download all the file into our attacker’s machine.
We should be extracting the tar file which there’s a bunch of files that we can analyze further.
It will look something as shown above.
While looking into the passwd file, we managed to retrieve a few users that we can use to access later.
There are a few files in the config directory.
I will fast-forward the step which it might be taking a few minutes just analyze all the file here. Therefore, I will skip all file expect one file which is wireless.
Finally, we have successfully retrieved password but sadly, we don’t know which users can use this password.
Let’s paste the password into a new file.
We can use crackmapexec for this activity, but I will use hydra instead. At last, we have found a match username and password for SSH service
Boom! We have successfully accessed the machine via SSH service.
We can read the user flag by typing the “cat user.txt” command.
Escalate to Root Privileges Access
Firstly, we can upload linpeas into the victim’s machine and find any vulnerability that we can take advantages of it.
We can see that there’s a binary called reaver.
We can analyze the iwconfig settings on the victim’s machine.
At last, we managed to obtain the bssid by running the command iw dev
We managed to retrieve a potential password for root.
My guess is spot on.
Finally, we managed to access the machine as root via SSH service
We can read the root flag by typing the “cat root.txt” command
Extra Information
No responses yet