In this post, I would like to share a walkthrough of the WifineticTwo Machine from Hack the Box

This room will be considered a Medium machine on Hack the Box

A close up of a logo

Description automatically generated

What will you gain from the WifineticTwo machine?

For the user flag, you need to play around with proxy server redirects to an OpenPLC login page. Using the default OpenPLC credentials (openplc/openplc), we log in and exploit CVE-2021-31630 to upload a C-based reverse shell payload on the server, which grants us root access. However, the /root directory only contains the user flag.

As for the root flag, you need to abuse network interfaces (ifconfig) to reveals a wifi interface (wlan0). Its enumeration shows the wifi network’s name (SSID, “plcrouter”), and also that WPS (Wifi Protected Setup) is enabled. Despite the name “WPS”, it is a dangerous parameter that makes wifi vulnerable to the Pixie Dust. This attack allows us to retrieve the PSK (Pre-Shared Key) required to connect to the network. There is an existing Python exploit which does just that. With the PSK in our possession, we can create a configuration file and connect to the network with wpa_supplicant (a daemon process that manages wireless connections on Linux). Once connected to the wifi network, we can SSH into the router which has the default address 192.168.1.1., and this is where we find the root flag.

Information Gathering on Wifinetictwo Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/wifinetictwo]
└──╼ $nmap -sC -sV -oA initial 10.10.11.7 -oA initial
# Nmap 7.94SVN scan initiated Sat Jul 27 01:18:24 2024 as: nmap -sC -sV -oA initial 10.10.11.7
Nmap scan report for 10.10.11.7 (10.10.11.7)
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 232
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.1eDpb8sffZFXl0DF0iPlkuVo5LE; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Sat, 27 Jul 2024 05:10:11 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 302 FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 219
|     location: http://0.0.0.0:8080/login
|     vary: Cookie
|     set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.5Dui3GDuWcHHuRnEreYKfULCyVI; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Sat, 27 Jul 2024 05:10:11 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     content-type: text/html; charset=utf-8
|     allow: HEAD, OPTIONS, GET
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.1eDpb8sffZFXl0DF0iPlkuVo5LE; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
|     content-length: 0
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Sat, 27 Jul 2024 05:10:11 GMT
|   RTSPRequest: 
|     HTTP/1.1 400 Bad request
|     content-length: 90
|     cache-control: no-cache
|     content-type: text/html
|     connection: close
|     <html><body><h1>400 Bad request</h1>
|     Your browser sent an invalid request.
|_    </body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=7/27%Time=66A48328%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,24C,"HTTP/1\.0\x20302\x20FOUND\r\ncontent-type:\x20text/htm
SF:l;\x20charset=utf-8\r\ncontent-length:\x20219\r\nlocation:\x20http://0\
SF:.0\.0\.0:8080/login\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfZn
SF:Jlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.5Dui3GDuWcHHuRnEreYKf
SF:ULCyVI;\x20Expires=Sat,\x2027-Jul-2024\x2005:15:11\x20GMT;\x20HttpOnly;
SF:\x20Path=/\r\nserver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x
SF:20Sat,\x2027\x20Jul\x202024\x2005:10:11\x20GMT\r\n\r\n<!DOCTYPE\x20HTML
SF:\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>Red
SF:irecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x2
SF:0be\x20redirected\x20automatically\x20to\x20target\x20URL:\x20<a\x20hre
SF:f=\"/login\">/login</a>\.\x20\x20If\x20not\x20click\x20the\x20link\.")%
SF:r(HTTPOptions,14E,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20text/html
SF:;\x20charset=utf-8\r\nallow:\x20HEAD,\x20OPTIONS,\x20GET\r\nvary:\x20Co
SF:okie\r\nset-cookie:\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.1eDp
SF:b8sffZFXl0DF0iPlkuVo5LE;\x20Expires=Sat,\x2027-Jul-2024\x2005:15:11\x20
SF:GMT;\x20HttpOnly;\x20Path=/\r\ncontent-length:\x200\r\nserver:\x20Werkz
SF:eug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sat,\x2027\x20Jul\x202024\x2
SF:005:10:11\x20GMT\r\n\r\n")%r(RTSPRequest,CF,"HTTP/1\.1\x20400\x20Bad\x2
SF:0request\r\ncontent-length:\x2090\r\ncache-control:\x20no-cache\r\ncont
SF:ent-type:\x20text/html\r\nconnection:\x20close\r\n\r\n<html><body><h1>4
SF:00\x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\x20
SF:request\.\n</body></html>\n")%r(FourOhFourRequest,224,"HTTP/1\.0\x20404
SF:\x20NOT\x20FOUND\r\ncontent-type:\x20text/html;\x20charset=utf-8\r\ncon
SF:tent-length:\x20232\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfcG
SF:VybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.1eDpb8sffZFXl0DF0iPlkuVo5LE;\x20Expires=S
SF:at,\x2027-Jul-2024\x2005:15:11\x20GMT;\x20HttpOnly;\x20Path=/\r\nserver
SF::\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sat,\x2027\x20Jul\
SF:x202024\x2005:10:11\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W
SF:3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found</ti
SF:tle>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x
SF:20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\
SF:x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20aga
SF:in\.</p>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 27 01:18:42 2024 -- 1 IP address (1 host up) scanned in 17.46 seconds
┌─[darknite@parrot]─[~/Documents/htb/wifinetictwo]
└──╼ $

Let’s access the website

It requires a credential to login to the dashboard but sadly we didn’t have any creds to play around

As a result, let’s enter the default creds

The dashboard interface will look something like the above

There is nothing that we can look into in the process

On the program platform, we can see the programs that are available to us

Therefore, let’s create the st file format to be uploaded into the system interface

Sadly, we didn’t retrieve any reverse shell connection at all

We can copy-paste the c programming on the /hardware interface as shown in the screenshot above

Sadly, we got an error when trying to save the c programming file

A screenshot of a computer program

Description automatically generated

Let’s execute the Python script as shown in the screenshot above

Boom! We have successfully retrieved the reverse shell connection.

However, we managed to retrieve the shell as the root which is weird at the moment

We can read the user.txt flag by typing the “cat user.txt” command on the /root directory

Escalate to Root Privileges Access

A computer screen with green text

Description automatically generated

However, there are two users including the root access

There is nothing that we can analyze inside the Ubuntu directory

I think of using the file that been compress download the file from source here

Let’s compile the c programming file

A screen shot of a computer

Description automatically generated

Let’s start our Python server to transfer the file to the victim’s machine

Finally, we have successfully transferred the file to the victim’s machine

A computer screen shot of a program

Description automatically generated

At last, the file managed to execute

A screen shot of a computer

Description automatically generated

A screenshot of a computer program

Description automatically generated

A screenshot of a computer program

Description automatically generated

We need to run the command above to obtain a few details that might be useful to us

A screenshot of a computer screen

Description automatically generated
A computer screen shot of a computer program

Description automatically generated

After a while, we managed to find the information required for the next attack

Sadly, we haven’t been provided useful to us.

A computer screen shot of a program

Description automatically generated

At this point, the file cannot be executed properly at all

A screenshot of a computer

Description automatically generated

However, we shouldn’t give up pretty easily and it pays off

A screenshot of a computer

Description automatically generated

Let’s use the wpa_passphrase on this method which can be read more here

A screenshot of a computer program

Description automatically generated

After a while, we have found a configuration on the wlan0 information

A screenshot of a computer

Description automatically generated

Let’s access the local connection as root

A black screen with green text

Description automatically generated

We can read the root flag by typing the “cat root.txt” command

Categories:

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *