Wifinetic | HackTheBox Writeup
Enumeration
The IP address of the machine for this walkthrough is 10.10.11.247. We can start our enumeration off with an Nmap scan.
nmap -sV -sC -oN initial 10.10.11.247
Results for Nmap scan
There are three ports open:
- Port 21: FTP (File Transfer Protocol) is used to host and share files. It appears that this implementation allows for Anonymous login, which is why we can see the files on the server.
- Port 22: This is SSH. This allows for remote access to the server. If we can obtain credentials through FTP we may be able to log in.
- Port 53: This port is commonly associated with DNS. Since Nmap could not enumerate the service it may be something else.
Since FTP allows for anonymous login we can start there.
ftp Anonymous@10.10.11.247
Downloading Files
Using the get command we can download all the files from the server. There are several documents and a file called backup-OpenWrt-2023–07–26.tar. Extracting the files gives us several files including the passwd file.
Extracted Backup Directory
If we had the shadow file we could attempt to get credentials but we do not.
/etc/passwd contents
Looking through the config directory we can find the wireless config file. It contains a password.
Wireless Password in Config
Foothold
Since we have a password and a username we can attempt to login via SSH in case they are reusing passwords.
Successful SSH Login
Privilege Escalation
With access to the machine, we can get the user.txt and further enumerate to attempt to get root. We can use ifconfig to look at our network.
Results from ifconfig
We can see multiple wireless interfaces and an interface I am assuming is for monitoring (mon0). We can also view the active services using the systemctl command.
systemctl status
Truncated results from systemctl command
I noticed the wpa_supplicant.service. We can get more information using the command below:
systemctl status wpa_supplicant.service
wpa_supplicant.service information
I attempted to view the conf file but we do not have permission to access it. At this point based on what we have seen and the name of the box it sounds likely that the privilege escalation will be associated with the wireless functionalities. We can use iwconfig to see information on the wireless interfaces.
iwconfig command results
wlan1 is an access point and we are given the BSSID for it. The BSSID stands for Basic Service Set Identifier. The MAC address of the access point is used to connect to the wireless network.
There are tools like aircrack-ng that can be used to interact with wireless networks. We can start by seeing what is installed on the local machine.
apt list --installed
Truncated results from apt list — installed
Scrolling through the list I noticed reaver was installed. I was not familiar with this so I ran it to get the help menu.
reaver help menu
Reaver is used to exploit wireless networks utilizing WPS. We can attempt to use this to get the wireless password. To do this we need to use the BSSID that we saw before.
BSSID for the access point
We need the BSSID and the interface to target for the command to work.
reaver -i mon0 -b 02:00:00:00:00:00 -vv
Wireless network password
We were able to get the password using Reaver. As a side note, I had attempted to target the wlan1 interface first but the command failed so I tried the mon0 interface.
With the password, we can attempt to log in as root.
