Hello hackers & researchers, Here is my writeup about wifinetictwo a linux machine from season 4.This was a nice machine especially on root section.

Description:

WifineticTwo is an easy-medium machine that was has 2 open port where one of the port is running a OpenPLC webserver which has a simple login page but can easly be bypassed with the use of default creds from google. Inside the machine we can try to abuse the wps attack with the use of PIN brute force with oneshot, login to the router with no password and we can get a root flag.

scanning

enumeration

enumerating 8080

From nmap I saw that I have a port 8000 which is running a http service, i tried to give it a shot.

|_    bind
  20   │ 8080/tcp open  http-proxy syn-ack Werkzeug/1.0.1 Python/2.7.18
  21   │ | http-title: Site doesn't have a title (text/html; charset=utf-8).
  22   │ |_Requested resource was http://10.10.11.7:8080/login
  23   │ |_http-server-header: Werkzeug/1.0.1 Python/2.7.18

url http://10.10.11.7:8080/login

From here i saw a login page but i dind't know how to login so decided to go with default steps as usually, google-fu what is OpenPLC is and its default creds.

From here i got an idea with what i was dealing with. decided to find a way to login in, my first approach was to google default creds.

username:openplc
password:openplc

exploitation

After some googling some exploit about openplc webserver i found this openplc was also vuln to cve-2021-31630. Which we find an openplc v3 firmware is vulnerable to code injection which results to rce

Based on the CVE we know that the point of exploitation is via a hardware end-point, either via automation or via manual, now we can try to do is that we can glab a C reverse shell since because the hardware layer code allows a user to run the C code.

After compilation is done now since i knew the openplc was stopped we need to start it again.

And i got a call back to my netcat.

privilege escalation

With privilege escalation decided to check some few details about user before i start exploiting.

After moving around finding more info i saw some interesting files inside the /opt directory.

scanning the wifi

The next phase was to scan the network of the target as the name of the box states, used the command below.

iw dev wlan0 scan

juice info from the scan

BSS 02:00:00:00:01:00(on wlan0)
SSID: plcrouter
Version: 1.0
WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1  

wps exploitation

After some google-fu i got some info about cracking the wps PIN and PSK With oneshot tool, from github.

It says possible attack on WPS is PIN bruteforce, And decided to google again and see what i can get.

And i got another hint about OneShot, decided to google it and see what was it since because i wasn't aware of wifi attacks is such environment.

After some google i found this article usufully about OneShot.
OneShot-reference

Decided to compile it with make command.

Then run the command to brute force the PIN
./oneshot -i wlan0 -b 02:00:00:00:01:00 -K

And we now we got the PIN

[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter

The PSK is NoWWEDoKnowWhaTisReal123!. Now lets connect to it.

wps_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > config

After that Then i tried to assign an ip to an interface with the command
ifconfig wlan0 192.168.1.5 netmask 255.255.255.0

Then from here we can try to ssh to the router with a ssh with no password.(OpenWrt root account has no password).

N/B: Its was a nice box, Big-up to the room creator felamos

reference

1. https://omergnscr.medium.com/simple-reverse-shell-in-c-be1c2f8a40b8
2. https://superuser.com/questions/1570969/why-is-reaver-not-guessing-the-correct-pin
3. https://github.com/izenynn/c-reverse-shell/blob/main/README.md