In this post, I would like to share a walkthrough of the Wifinetic Machine from Hack the Box

This room will be considered a Easy machine on Hack the Box

Information Gathering on Wifinetic Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/wifinetic]
└──╼ $ nmap -sV -sC 10.10.11.247  -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-14 23:23 EDT
Nmap scan report for 10.10.11.247
Host is up (0.20s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE    SERVICE    VERSION
21/tcp    open     ftp        vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.93
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf
22/tcp    open     ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
53/tcp    open     tcpwrapped
15003/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/wifinetic]
└──╼ $ 

However, there are no port 80 been found on the nmap output

Let’s access the machine via FTP service.

There is a few file that been stored in the directory

Therefore, let’s download all the file into our attacker’s machine.

We should be extracting the tar file which there’s a bunch of files that we can analyze further.

It will look something as shown above.

While looking into the passwd file, we managed to retrieve a few users that we can use to access later.

There are a few files in the config directory.

I will fast-forward the step which it might be taking a few minutes just analyze all the file here. Therefore, I will skip all file expect one file which is wireless.

Finally, we have successfully retrieved password but sadly, we don’t know which users can use this password.

Let’s paste the password into a new file.

We can use crackmapexec for this activity, but I will use hydra instead. At last, we have found a match username and password for SSH service

Boom! We have successfully accessed the machine via SSH service.

We can read the user flag by typing the “cat user.txt” command.

Escalate to Root Privileges Access

Firstly, we can upload linpeas into the victim’s machine and find any vulnerability that we can take advantages of it.

We can see that there’s a binary called reaver.

We can analyze the iwconfig settings on the victim’s machine.

A computer screen with green text

Description automatically generated

At last, we managed to obtain the bssid by running the command iw dev

A screenshot of a computer program

Description automatically generated

We managed to retrieve a potential password for root.

A black background with yellow and green text

Description automatically generated

My guess is spot on.

A computer screen with green text

Description automatically generated

Finally, we managed to access the machine as root via SSH service

We can read the root flag by typing the “cat root.txt” command

Extra Information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *