Hello hackers & researchers, Here is my writeup about wifinetictwo a linux machine from season 4.This was a nice machine especially on root section.  # Description: WifineticTwo is an easy-medium machine that was has 2 open port where one of the port is running a OpenPLC webserver which has a simple login page but can easly be bypassed with the use of default creds from google. Inside the machine we can try to abuse the wps attack with the use of PIN brute force with oneshot, login to the router with no password and we can get a root flag. # scanning  # enumeration ## enumerating 8080 From nmap I saw that I have a port 8000 which is running a http service, i tried to give it a shot. ``` |_ bind 20 │ 8080/tcp open http-proxy syn-ack Werkzeug/1.0.1 Python/2.7.18 21 │ | http-title: Site doesn't have a title (text/html; charset=utf-8). 22 │ |_Requested resource was http://10.10.11.7:8080/login 23 │ |_http-server-header: Werkzeug/1.0.1 Python/2.7.18 ``` url `http://10.10.11.7:8080/login`  From here i saw a login page but i dind't know how to login so decided to go with default steps as usually, google-fu what is OpenPLC is and its default creds.  From here i got an idea with what i was dealing with. decided to find a way to login in, my first approach was to google default creds.  ``` username:openplc password:openplc ```  # exploitation After some googling some exploit about openplc webserver i found this openplc was also vuln to `cve-2021-31630`. Which we find an openplc v3 firmware is vulnerable to code injection which results to `rce` Based on the CVE we know that the point of exploitation is via a hardware end-point, either via automation or via manual, now we can try to do is that we can glab a `C` reverse shell since because the hardware layer code allows a user to run the `C` code.   After compilation is done now since i knew the openplc was stopped we need to start it again.  And i got a call back to my netcat.  # privilege escalation With privilege escalation decided to check some few details about user before i start exploiting.  After moving around finding more info i saw some interesting files inside the `/opt` directory.  ## scanning the wifi The next phase was to scan the network of the target as the name of the box states, used the command below. ``` iw dev wlan0 scan ```  ## juice info from the scan ``` BSS 02:00:00:00:01:00(on wlan0) SSID: plcrouter Version: 1.0 WPS: * Version: 1.0 * Wi-Fi Protected Setup State: 2 (Configured) * Response Type: 3 (AP) * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1 ``` ## wps exploitation After some google-fu i got some info about cracking the wps PIN and PSK With oneshot tool, from github.  It says possible attack on WPS is PIN bruteforce, And decided to google again and see what i can get.  And i got another hint about `OneShot`, decided to google it and see what was it since because i wasn't aware of wifi attacks is such environment. After some google i found this article usufully about OneShot. [OneShot-reference](https://github.com/nikita-yfh/OneShot-C)  Decided to compile it with `make` command.  Then run the command to brute force the PIN `./oneshot -i wlan0 -b 02:00:00:00:01:00 -K`  And we now we got the PIN ``` [*] Building Message M6 [*] Received WPS Message M7 [+] WPS PIN: 12345670 [+] WPA PSK: NoWWEDoKnowWhaTisReal123! [+] AP SSID: plcrouter ``` The PSK is `NoWWEDoKnowWhaTisReal123!`. Now lets connect to it. ``` wps_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > config ```  After that Then i tried to assign an ip to an interface with the command `ifconfig wlan0 192.168.1.5 netmask 255.255.255.0`  Then from here we can try to ssh to the router with a ssh with no password.(OpenWrt root account has no password).  N/B: Its was a nice box, Big-up to the room creator [felamos](https://app.hackthebox.com/users/27390) # reference 1. https://omergnscr.medium.com/simple-reverse-shell-in-c-be1c2f8a40b8 2. https://superuser.com/questions/1570969/why-is-reaver-not-guessing-the-correct-pin 3. https://github.com/izenynn/c-reverse-shell/blob/main/README.md