In this post, I would like to share a walkthrough of the WifineticTwo Machine from Hack the Box
This room will be considered a Medium machine on Hack the Box
What will you gain from the WifineticTwo machine?
For the user flag, you need to play around with proxy server redirects to an OpenPLC login page. Using the default OpenPLC credentials (openplc/openplc), we log in and exploit CVE-2021-31630 to upload a C-based reverse shell payload on the server, which grants us root access. However, the /root directory only contains the user flag.
As for the root flag, you need to abuse network interfaces (ifconfig) to reveals a wifi interface (wlan0). Its enumeration shows the wifi network’s name (SSID, “plcrouter”), and also that WPS (Wifi Protected Setup) is enabled. Despite the name “WPS”, it is a dangerous parameter that makes wifi vulnerable to the Pixie Dust. This attack allows us to retrieve the PSK (Pre-Shared Key) required to connect to the network. There is an existing Python exploit which does just that. With the PSK in our possession, we can create a configuration file and connect to the network with wpa_supplicant (a daemon process that manages wireless connections on Linux). Once connected to the wifi network, we can SSH into the router which has the default address 192.168.1.1., and this is where we find the root flag.
Information Gathering on Wifinetictwo Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/wifinetictwo]
└──╼ $nmap -sC -sV -oA initial 10.10.11.7 -oA initial
# Nmap 7.94SVN scan initiated Sat Jul 27 01:18:24 2024 as: nmap -sC -sV -oA initial 10.10.11.7
Nmap scan report for 10.10.11.7 (10.10.11.7)
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| content-type: text/html; charset=utf-8
| content-length: 232
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.1eDpb8sffZFXl0DF0iPlkuVo5LE; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sat, 27 Jul 2024 05:10:11 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 302 FOUND
| content-type: text/html; charset=utf-8
| content-length: 219
| location: http://0.0.0.0:8080/login
| vary: Cookie
| set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.5Dui3GDuWcHHuRnEreYKfULCyVI; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sat, 27 Jul 2024 05:10:11 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| content-type: text/html; charset=utf-8
| allow: HEAD, OPTIONS, GET
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqSBMw.1eDpb8sffZFXl0DF0iPlkuVo5LE; Expires=Sat, 27-Jul-2024 05:15:11 GMT; HttpOnly; Path=/
| content-length: 0
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sat, 27 Jul 2024 05:10:11 GMT
| RTSPRequest:
| HTTP/1.1 400 Bad request
| content-length: 90
| cache-control: no-cache
| content-type: text/html
| connection: close
| <html><body><h1>400 Bad request</h1>
| Your browser sent an invalid request.
|_ </body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=7/27%Time=66A48328%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,24C,"HTTP/1\.0\x20302\x20FOUND\r\ncontent-type:\x20text/htm
SF:l;\x20charset=utf-8\r\ncontent-length:\x20219\r\nlocation:\x20http://0\
SF:.0\.0\.0:8080/login\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfZn
SF:Jlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.5Dui3GDuWcHHuRnEreYKf
SF:ULCyVI;\x20Expires=Sat,\x2027-Jul-2024\x2005:15:11\x20GMT;\x20HttpOnly;
SF:\x20Path=/\r\nserver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x
SF:20Sat,\x2027\x20Jul\x202024\x2005:10:11\x20GMT\r\n\r\n<!DOCTYPE\x20HTML
SF:\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>Red
SF:irecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x2
SF:0be\x20redirected\x20automatically\x20to\x20target\x20URL:\x20<a\x20hre
SF:f=\"/login\">/login</a>\.\x20\x20If\x20not\x20click\x20the\x20link\.")%
SF:r(HTTPOptions,14E,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20text/html
SF:;\x20charset=utf-8\r\nallow:\x20HEAD,\x20OPTIONS,\x20GET\r\nvary:\x20Co
SF:okie\r\nset-cookie:\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.1eDp
SF:b8sffZFXl0DF0iPlkuVo5LE;\x20Expires=Sat,\x2027-Jul-2024\x2005:15:11\x20
SF:GMT;\x20HttpOnly;\x20Path=/\r\ncontent-length:\x200\r\nserver:\x20Werkz
SF:eug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sat,\x2027\x20Jul\x202024\x2
SF:005:10:11\x20GMT\r\n\r\n")%r(RTSPRequest,CF,"HTTP/1\.1\x20400\x20Bad\x2
SF:0request\r\ncontent-length:\x2090\r\ncache-control:\x20no-cache\r\ncont
SF:ent-type:\x20text/html\r\nconnection:\x20close\r\n\r\n<html><body><h1>4
SF:00\x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\x20
SF:request\.\n</body></html>\n")%r(FourOhFourRequest,224,"HTTP/1\.0\x20404
SF:\x20NOT\x20FOUND\r\ncontent-type:\x20text/html;\x20charset=utf-8\r\ncon
SF:tent-length:\x20232\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfcG
SF:VybWFuZW50Ijp0cnVlfQ\.ZqSBMw\.1eDpb8sffZFXl0DF0iPlkuVo5LE;\x20Expires=S
SF:at,\x2027-Jul-2024\x2005:15:11\x20GMT;\x20HttpOnly;\x20Path=/\r\nserver
SF::\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sat,\x2027\x20Jul\
SF:x202024\x2005:10:11\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W
SF:3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found</ti
SF:tle>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x
SF:20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\
SF:x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20aga
SF:in\.</p>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 27 01:18:42 2024 -- 1 IP address (1 host up) scanned in 17.46 seconds
┌─[darknite@parrot]─[~/Documents/htb/wifinetictwo]
└──╼ $
Let’s access the website
It requires a credential to login to the dashboard but sadly we didn’t have any creds to play around
As a result, let’s enter the default creds
The dashboard interface will look something like the above
There is nothing that we can look into in the process
On the program platform, we can see the programs that are available to us
Therefore, let’s create the st file format to be uploaded into the system interface
Sadly, we didn’t retrieve any reverse shell connection at all
We can copy-paste the c programming on the /hardware interface as shown in the screenshot above
Sadly, we got an error when trying to save the c programming file
Let’s execute the Python script as shown in the screenshot above
Boom! We have successfully retrieved the reverse shell connection.
However, we managed to retrieve the shell as the root which is weird at the moment
We can read the user.txt flag by typing the “cat user.txt” command on the /root directory
Escalate to Root Privileges Access
However, there are two users including the root access
There is nothing that we can analyze inside the Ubuntu directory
I think of using the file that been compress download the file from source here
Let’s compile the c programming file
Let’s start our Python server to transfer the file to the victim’s machine
Finally, we have successfully transferred the file to the victim’s machine
At last, the file managed to execute
We need to run the command above to obtain a few details that might be useful to us
After a while, we managed to find the information required for the next attack
Sadly, we haven’t been provided useful to us.
At this point, the file cannot be executed properly at all
However, we shouldn’t give up pretty easily and it pays off
Let’s use the wpa_passphrase on this method which can be read more here
After a while, we have found a configuration on the wlan0 information
Let’s access the local connection as root
We can read the root flag by typing the “cat root.txt” command