Hello hackers & researchers, Here is my writeup about wifinetictwo a linux machine from season 4.This was a nice machine especially on root section.
WifineticTwo is an easy-medium machine that was has 2 open port where one of the port is running a OpenPLC webserver which has a simple login page but can easly be bypassed with the use of default creds from google. Inside the machine we can try to abuse the wps attack with the use of PIN brute force with oneshot, login to the router with no password and we can get a root flag.
From nmap I saw that I have a port 8000 which is running a http service, i tried to give it a shot.
url http://10.10.11.7:8080/login
From here i saw a login page but i dind't know how to login so decided to go with default steps as usually, google-fu what is OpenPLC is and its default creds.
From here i got an idea with what i was dealing with. decided to find a way to login in, my first approach was to google default creds.
After some googling some exploit about openplc webserver i found this openplc was also vuln to cve-2021-31630
. Which we find an openplc v3 firmware is vulnerable to code injection which results to rce
Based on the CVE we know that the point of exploitation is via a hardware end-point, either via automation or via manual, now we can try to do is that we can glab a C
reverse shell since because the hardware layer code allows a user to run the C
code.
After compilation is done now since i knew the openplc was stopped we need to start it again.
And i got a call back to my netcat.
With privilege escalation decided to check some few details about user before i start exploiting.
After moving around finding more info i saw some interesting files inside the /opt
directory.
The next phase was to scan the network of the target as the name of the box states, used the command below.
After some google-fu i got some info about cracking the wps PIN and PSK With oneshot tool, from github.
It says possible attack on WPS is PIN bruteforce, And decided to google again and see what i can get.
And i got another hint about OneShot
, decided to google it and see what was it since because i wasn't aware of wifi attacks is such environment.
After some google i found this article usufully about OneShot.
OneShot-reference
Decided to compile it with make
command.
Then run the command to brute force the PIN
./oneshot -i wlan0 -b 02:00:00:00:01:00 -K
And we now we got the PIN
The PSK is NoWWEDoKnowWhaTisReal123!
. Now lets connect to it.
After that Then i tried to assign an ip to an interface with the command
ifconfig wlan0 192.168.1.5 netmask 255.255.255.0
Then from here we can try to ssh to the router with a ssh with no password.(OpenWrt root account has no password).
N/B: Its was a nice box, Big-up to the room creator felamos