Hello hackers & researchers, Here is my writeup about wifinetictwo a linux machine from season 4.This was a nice machine especially on root section.

Screenshot from 2024-07-24 18-40-52

Description:

WifineticTwo is an easy-medium machine that was has 2 open port where one of the port is running a OpenPLC webserver which has a simple login page but can easly be bypassed with the use of default creds from google. Inside the machine we can try to abuse the wps attack with the use of PIN brute force with oneshot, login to the router with no password and we can get a root flag.

scanning

Screenshot from 2024-07-24 18-48-30

enumeration

enumerating 8080

From nmap I saw that I have a port 8000 which is running a http service, i tried to give it a shot.

|_    bind
  20   │ 8080/tcp open  http-proxy syn-ack Werkzeug/1.0.1 Python/2.7.18
  21   │ | http-title: Site doesn't have a title (text/html; charset=utf-8).
  22   │ |_Requested resource was http://10.10.11.7:8080/login
  23   │ |_http-server-header: Werkzeug/1.0.1 Python/2.7.18

url http://10.10.11.7:8080/login

Screenshot from 2024-07-24 19-03-29

From here i saw a login page but i dind't know how to login so decided to go with default steps as usually, google-fu what is OpenPLC is and its default creds.

Screenshot from 2024-07-24 19-06-07

From here i got an idea with what i was dealing with. decided to find a way to login in, my first approach was to google default creds.

Screenshot from 2024-07-24 19-05-44

username:openplc
password:openplc

Screenshot from 2024-07-24 19-08-41

exploitation

After some googling some exploit about openplc webserver i found this openplc was also vuln to cve-2021-31630. Which we find an openplc v3 firmware is vulnerable to code injection which results to rce

Based on the CVE we know that the point of exploitation is via a hardware end-point, either via automation or via manual, now we can try to do is that we can glab a C reverse shell since because the hardware layer code allows a user to run the C code.

Screenshot from 2024-07-27 10-26-57

Screenshot from 2024-07-27 10-24-18

After compilation is done now since i knew the openplc was stopped we need to start it again.

Screenshot from 2024-07-27 10-25-02

And i got a call back to my netcat.

Screenshot from 2024-07-27 10-31-59

privilege escalation

With privilege escalation decided to check some few details about user before i start exploiting.

Screenshot from 2024-07-24 20-06-53

After moving around finding more info i saw some interesting files inside the /opt directory.

Screenshot from 2024-07-27 10-35-29

scanning the wifi

The next phase was to scan the network of the target as the name of the box states, used the command below.

iw dev wlan0 scan

Screenshot from 2024-07-27 10-34-10

juice info from the scan

BSS 02:00:00:00:01:00(on wlan0)
SSID: plcrouter
Version: 1.0
WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1  

wps exploitation

After some google-fu i got some info about cracking the wps PIN and PSK With oneshot tool, from github.

Screenshot from 2024-07-27 10-42-56

It says possible attack on WPS is PIN bruteforce, And decided to google again and see what i can get.

Firefox_Screenshot_2024-07-27T14-48-09.179Z

And i got another hint about OneShot, decided to google it and see what was it since because i wasn't aware of wifi attacks is such environment.

After some google i found this article usufully about OneShot.
OneShot-reference

Firefox_Screenshot_2024-07-27T14-52-23.052Z

Decided to compile it with make command.

Screenshot from 2024-07-27 10-53-57

Then run the command to brute force the PIN
./oneshot -i wlan0 -b 02:00:00:00:01:00 -K

Screenshot from 2024-07-27 11-00-56

And we now we got the PIN

[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter

The PSK is NoWWEDoKnowWhaTisReal123!. Now lets connect to it.

wps_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > config

Screenshot from 2024-07-27 12-30-16

After that Then i tried to assign an ip to an interface with the command
ifconfig wlan0 192.168.1.5 netmask 255.255.255.0

Screenshot from 2024-07-27 12-32-37

Then from here we can try to ssh to the router with a ssh with no password.(OpenWrt root account has no password).

Screenshot from 2024-07-27 12-37-03

N/B: Its was a nice box, Big-up to the room creator felamos

reference

  1. https://omergnscr.medium.com/simple-reverse-shell-in-c-be1c2f8a40b8
  2. https://superuser.com/questions/1570969/why-is-reaver-not-guessing-the-correct-pin
  3. https://github.com/izenynn/c-reverse-shell/blob/main/README.md