WifineticTwo

Link to machine : https://app.hackthebox.com/machines/593

Scanning :

I will use Rustscan for fastest also nmap is most basic tool for scanning web port service i had use in the previous machine :

port 8080 is open check webpage on this port

View Web page at port 8080 :

Login web page

By searching a little bit found default crendential for OpenPLC Webserver , login with that :

Keep research on OpenPLC vuln -> version of this web page is related to CVE-2021-31630 :

About this CVE : Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.

Move to Hardware tab :

We can attach the C code for getting reverse shell at here then complied and start the program , beside that setting the netcat listen port , use Online reverse shell to generate that or for easy understand from exploitDB help this with a python script :

Link to ExploitDB script : https://www.exploit-db.com/exploits/49803

Implement C code for reverse shell :

Add all lib at the top of the page hardware and the code from main void of this to the bottom function

Getting the shell : this is the root shell ( but for user flag later in this machine ) :

Upgrade shell :

The name of Machine related to Wifi so start scanning of this and found BSSID :

OneShot tool will help to get PSK or PIN of this Wifi :

Link : https://github.com/kimocoder/OneShot

More detail of this attack chain in Oneshot repo too .

Upload file oneshot.py from repo to the target machine and get the PSK and SSID from this .

Add it to config with wpa_passphrase then connect to wifi with wpa_supplicant :

https://wiki.somlabs.com/index.php/Connecting_to_WiFi_network_using_systemd_and_wpa-supplicant

initialized

add ip and subnet mask : ifconfig wlan0 192.168.1.7 netmask 255.255.255.0

Keep checking ip is connected from this then connect to that ( root shell ) :

ssh to wifi route