Hack The Box: WifineticTwo
What will you learn? WifineticTwo is a medium difficulty Linux box that features a running instance of OpenPLC that is vulnerable to a Remote Code Execution vulnerability. After obtaining an initial foothold, a Wi-Fi attack on WPS is performed to acquire sensitive information. Doing so presents an opportunity to target a router running OpenWRT and the ability to gain root access on the system via it’s web interface.
Let’s begin enumerating the box:
Scanning the box for open ports with NMAP we’re able to see that SSH and a web server are open on the box. SSH is an unlikely attack vector unless we gather credentials, therefore we will be focusing towards enumerating and finding a vector for initial access on the web application.
What we learn from the NMAP enumeration
The HTTP web server is running Werkzeug 1.0.1 with a Python backend of version 2.7.18 (old).
There is a cookie with a variable of session that may be of importance. Looking for cookies in the storage section of the development tools can provide interesting opportunities for accessing places unintended for users to go, or visitors.
With all of that in mind, let’s visit the webserver on port 8080 and see what we can scrub off the surface.
We have some information. The server is running something called ‘OpenPLC’. Searching for default credentials gives us an easy way in to continue looking inside. We find we can login with openplc:openplc.
There are a lot of potentially good ways of acquiring a potential foothold on this webserver. We are going to focus our attention on the Hardware page that presents an open opportunity to inject C code and save the changes we make in the window. Given some exploit research on google and locally with Searchsploit we are able to start working with this: https://github.com/thewhiteh4t/cve-2021-31630
Attempting to run the exploit
This appears to be “working”, however we are unable to receive the reverse connection back. Investigation reveals compiling issues.
We are going to use a different exploit, one located here on Github: https://github.com/thewhiteh4t/cve-2021-31630
We will also start a netcat listener on port 4444 pre-emptively in order to see if this one responds.
Awesome. We have a foothold on the target. You will notice we only have a user.txt flag in the /root directory. Now we can proceed to enumerate the target for next steps and see what is going on. Starting to examine the networking interfaces running we can see that we have a wireless interface wlan0.
Looking deeper using iw dev wlan0 scan to scan for available wireless networks and display additional information about them that we will not see with iwconfig, ifconfig, or iwlist routinely.
We are able to acquire the SSID and the type of wireless security method is WPS which is incredibly insecure. A lot of tools and methods exist for cracking this type including Reaver and OneShot to name a few. We will be using oneshot: https://github.com/kimocoder/OneShot to proceed with our attack. Serve up a Python HTTP server and use curl on the box to acquire our script to use oneshot.
Once you send over the script to run we can run it specifying the interface of wlan0 which will let us choose target 1 for the BSSID we are targeting. Then it will try the default first PIN it does and succeed. This will also give us the WPA PSK (Pre-Shared Key) which we can use as a password for Wi-Fi networks. The next step is a sensitive part where we are going to attempt to connect to the wireless network.
We will have to create a configuration file in order to join the wireless network in Linux.
We can now use wpa_supplicant to connect the device to the wireless network. Then check to see if we are successfully authenticated to the Wireless Access Point
Connecting to the wireless network.
Now when we run an ip a command we will see in the beginning there is no IPV4 address assigned to WLAN0. When we run dhclient -v we will acquire an IP address using DHCP and it will populate the next time we view the networking information.
We can see what routes to any hosts exist on the box to find out where we can go from here. You will notice that we have a route to 192.168.1.1 and when we ping the IP address listed here we are able to reach it without packet loss.
Connecting to the machine we now have access to via the DHCP renewal we did.
We need to create a full TTY session first with Python3, enter: python3 -c 'import pty; pty.spawn("/bin/bash")' then follow these steps:
1) Copy and paste the following below into the NETCAT session:
script /dev/null -qc /bin/bash #/dev/null is to not store anything
2) Inside of the NETCAT session run the following below (copy and paste as well):
CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
We will now be able to SSH into the box and see what we get in response.
We are able to SSH to the machine without a username or password and automatically login as the root user. Congratulations, we’ve rooted WIFINETICTWO.
