Hack The Box: Airtouch Mahcine Walkthrough – Medium Diffiiculty
Easy Machine aircrack-ng, AP, BurpSuite, Challenges, eaphammer, HackTheBox, Linux, Penetration Testing, port forwarding, sshIntroduction to Airtouch:
In this write-up, we will explore the “Airtouch” machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Airtouch” machine from Hack The Box by achieving the following objectives:
User Flag:
The user flag was obtained after the attacker gained initial access to the machine as the low-privileged user consultant via SSH and performed basic enumeration. By connecting to the internal network (192.168.3.0/24) through the compromised system and later accessing the internal access point at 192.168.3.1 via SSH, the attacker explored the /home/user directory and successfully retrieved the user flag.
Root Flag
The attacker achieved the root flag through multiple stages of privilege escalation and lateral movement. They first exploited a misconfigured sudo permission to gain root access on the main machine without a password. After identifying the system as a wireless attack platform, they cracked the WPA2 password (“challenge”) and connected to the internal network. From there, they exploited an unrestricted file upload vulnerability on the access point’s web interface to gain a reverse shell, then performed further enumeration to uncover credentials and access a management server. Using these credentials, they escalated privileges to root and obtained the root flag.
Enumerating the Airtouch Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -T4 -oA initial 10.129.244.98Nmap Output:
─[dark@parrot]─[~/Documents/htb/airtouch]
└──╼ $cat initial.nmap
# Nmap 7.94SVN scan initiated Sat Apr 18 07:36:33 2026 as: nmap -sC -sV -T4 -oA initial 10.129.244.98
Nmap scan report for 10.129.244.98
Host is up (0.16s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
6/tcp filtered unknown
20/tcp filtered ftp-data
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)
| 256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)
|_ 256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)
222/tcp filtered rsh-spx
254/tcp filtered unknown
2005/tcp filtered deslogin
3517/tcp filtered 802-11-iapp
5915/tcp filtered unknown
6543/tcp filtered mythtv
8009/tcp filtered ajp13
9595/tcp filtered pds
32785/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 18 07:37:03 2026 -- 1 IP address (1 host up) scanned in 29.76 seconds
Analysis:
- Port 22 (SSH): Secure Shell service for remote access.
┌─[✗]─[dark@parrot]─[~/Documents/htb/airtouch]
└──╼ $cat udp.nmap
# Nmap 7.94SVN scan initiated Sat Apr 18 07:40:30 2026 as: nmap -sU -sC -sV --top-ports 200 -T4 -oA udp 10.129.244.98
Warning: 10.129.244.98 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.244.98
Host is up (0.18s latency).
Not shown: 183 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
7/udp open|filtered echo
68/udp open|filtered dhcpc
123/udp open|filtered ntp
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 19acbb136d29e36900000000
| snmpEngineBoots: 1
|_ snmpEngineTime: 14m49s
| snmp-sysdescr: "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
|_ System uptime: 14m49.23s (88923 timeticks)
990/udp open|filtered ftps
1022/udp open|filtered exp2
1036/udp open|filtered nsstp
3659/udp open|filtered apple-saslPort 161 (SNMP): SNMP service enabled with public community string, leaking sensitive information including consultant credentials.
Web Enumeration
Exploitation
Web Application Exploration:
The attacker obtains initial access by SSHing into the target as the low-privileged user "consultant".
Running sudo -l exposes the critical vulnerability where This allows immediate privilege escalation to root without a password:
This shows basic enumeration after gaining initial access as the consultant user.
The command cat /etc/passwd | grep sh$ reveals that both root and consultant have /bin/bash as their shell. No other service accounts have interactive shells. This is standard Linux reconnaissance to understand which users can log in interactively.
After checking permissions, the user runs sudo su.
Once the attacker gains root access, they find interesting files in /home/consultant, including two PNG images (diagram-net.png and a timestamped photo). The root directory also contains a folder named eaphammer.
The team configured the machine as a wireless attack platform.
Multiple virtual Wi-Fi interfaces are available via the mac80211_hwsim driver.
The output shows several nearby networks, including the company SSID AirTouch-Internet (BSSID: F0:9F:C2:A3:F1:A7, WPA2-PSK, channel 6).
The attacker attempts to crack a previously captured handshake.
The attacker discovers that the WPA2-PSK password is "challenge".
Then generates a WPA supplicant configuration and connects to the corporate Wi-Fi AirTouch-Internet
The interface receives an IP address in the 192.168.3.0/24 network
The interface receives an IP address in the 192.168.3.0/24 network, with the resulting 192.168.3.1 open to the public
Further attempts to interact with the AP web interface using `curl -u admin:admin http://192.168.3.1/login.cgi` return a 404 Not Found. This suggests that the web management page is disabled or located elsewhere.
The attacker performs lateral movement by SSHing into the access point at 192.168.3.1 as the user account, then immediately escalates privileges.
Enumeration of /home/user reveals several files and scripts
The user flag is obtained directly
Escalate to Root Privileges Access
Privilege Escalation:
The script send_certs.sh is particularly interesting
After gaining root, the attacker connects to the corporate AirTouch-Internet WPA2-PSK network (password: challenge) on a new virtual interface
The interface receives IP 192.168.3.23/24 (visible via ip a).
Local port forwarding is set up from the attacker’s Parrot OS machine to reach the internal AP’s web interface
The application uses PHP sessions with cookies (UserRole=user or UserRole=admin and PHPSESSID). The interface allows editing network name, password, and security mode, but changes appear client-side only (JavaScript-controlled).
Successful login as admin (or manager) grants access to the Wi-Fi configuration panel at /index.php.
The panel requires login as admin / manager and provides a simple “Upload Configuration File” feature that saves uploaded files to the /uploads/ directory.
A netcat listener is started on the attacker’s machin
The attacker exploits this unrestricted file upload by uploading one files:
- dark.phtml (a basic test webshell)
The file uploads succeed with confirmation messages:
- “The file dark.phtml has been uploaded to folder uploads/”
Triggering the reverse shell (via the uploaded .phar or .phtml file through the forwarded port) grants a shell on the router.
Triggering the reverse shell (via the uploaded .phar or .phtml file through the forwarded port) grants a shell on the router.
Later, using EAPHammer from the consultant machine, the attacker SSHes to the remote management server
Enumeration also reveals interesting files, including /etc/hostapd/hostapd_wpe.eap_user, which contains EAP user credentials and MSCHAPv2 hashes (e.g., for user admin with a long password)
On AirTouch-AP-MGT, the user remote can escalate privileges:
su admin
This leads to root access.
The root flag is found and read