WifineticTwo WriteUp/Walkthrough: HTB-HackTheBox | Remote Code Execution | Mr Bandwidth
Hey there, CTF enthusiasts!
Welcome to my first Medium post, where we’ll be diving headfirst into a thrilling CTF walkthrough. This write-up will dissect the challenges, step-by-step, guiding you through the thought process and tools used to conquer the flags. Whether you’re a seasoned CTF pro or just starting your hacking journey, this is your chance to learn new techniques and sharpen your skills. So, buckle up and get ready to pwn some machines! ️
let’s start….
- Reconnaissance
- To gather information, I ran an nmap scan using this command:
sudo nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -Pn -oN all-ports-nmap-report 10.10.11.7
sudo nmap -sV -sC -Pn -v -f -oN nmap-report -p22,8080 10.10.11.7
Before accessing the service running on port 8080, I first modified my /etc/hosts file to point my desired domain name to the target's IP address.
sudo nano /etc/hosts
Let’s move what we have on port 8080:
After carefully analyzing the web application, I found a vulnerability.
However, the exploit required a username and password. To proceed, I searched online for the default credentials for OpenPLC.
I attempted to log in using the default credentials and was successful.
Then I tried to exploit it, but I encountered an error.
After carefully reviewing the exploit and understanding its logic, I delved into how OpenPLC functions. This investigation helped me pinpoint the reason behind the error message. I then modified the exploit to address this issue.
I just modify this line:
compile_program = options.url + '/compile-program?file=681871.st'To This :
compile_program = options.url + '/compile-program?file=blank_program.st'And tried to run exploit again.
With these steps, we’ve successfully achieved a reverse shell connection via the web server!
Exploitation
We gained root access earlier, which is awesome! But there’s a catch: the user flag is usually found in a user’s directory, not the root directory. This seemed strange, so I decided to take a closer look at the machine’s file system. I did a thorough exploration to understand its entire structure and find where the user flag might be hidden.
Root Flag
Next, I used a tool called LinPEAS to search for anything interesting on the machine. Remember how I mentioned containers earlier? LinPEAS also helped us find a couple of network services running.
I spent some time looking at the network side of things because the machine’s name seemed to suggest there might be Wi-Fi related problems. It’s possible a tool like Hacktricks could be helpful for testing the Wi-Fi security, but we won’t cover that in this walkthrough.
Then i used this command:
iw dev wlan0 scanPerform a wireless network scan on the wireless interface wlan0.
Next step is WPS brute force by uploading script to the Remote machine.
I just upload this script on Remote machine via curl.
And run the script with this command:
python3 one.py -i wlan0 -b 02:00:00:00:01:00 -K
After some searching, we found a special code (WPS PIN) and password (WPA PSK) for the Wi-Fi network. This means we can try connecting to the Wi-Fi!
Then generate a WPA passphrase configuration block for a WiFi network and save it to a file named config.
wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > config
To start the wpa_supplicant daemon in the background with a specified configuration file (config) and wireless network interface (wlan0). I Used this command:
wpa_supplicant -B -c config -i wlan0
No IP assign in wlan0
I manually assign an IP address and netmask to the network interface wlan0.
ifconfig wlan0 192.168.1.7 netmask 255.255.255.0
Then i tried to connect ssh
Success! We established a connection and retrieved the root flag.
Thanks for reading! I hope you found these walkthroughs easy to follow and helpful for your own CTF adventures.
