WifineticTwo
Link to machine : https://app.hackthebox.com/machines/593
Last updated
Link to machine : https://app.hackthebox.com/machines/593
Last updated
Scanning :
I will use Rustscan for fastest also nmap is most basic tool for scanning web port service i had use in the previous machine :
View Web page at port 8080 :
By searching a little bit found default crendential for OpenPLC Webserver , login with that :
Keep research on OpenPLC vuln -> version of this web page is related to CVE-2021-31630 :
About this CVE : Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
Move to Hardware tab :
We can attach the C code for getting reverse shell at here then complied and start the program , beside that setting the netcat listen port , use Online reverse shell to generate that or for easy understand from exploitDB help this with a python script :
Link to ExploitDB script : https://www.exploit-db.com/exploits/49803
Implement C code for reverse shell :
Getting the shell : this is the root shell ( but for user flag later in this machine ) :
Upgrade shell :
The name of Machine related to Wifi so start scanning of this and found BSSID :
OneShot tool will help to get PSK or PIN of this Wifi :
Link : https://github.com/kimocoder/OneShot
More detail of this attack chain in Oneshot repo too .
Upload file oneshot.py from repo to the target machine and get the PSK and SSID from this .
Add it to config with wpa_passphrase then connect to wifi with wpa_supplicant :
https://wiki.somlabs.com/index.php/Connecting_to_WiFi_network_using_systemd_and_wpa-supplicant
Keep checking ip is connected from this then connect to that ( root shell ) :
