HackTheBox: Wifinetic


This was released straight to "retired" as a VIP only box. Its user-rated as extremely easy, and the user blood was literally 1 second.


nmap shows three ports open: 21 (FTP), 22 (SSH), and 53 (DNS).

FTP evidently allows anonymous logins, because I was able to sign in as follows:

Connected to
220 (vsFTPd 3.0.3)
Name ( ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

The DNS server is apparently using software called "tcpwrapped".

Back to the FTP server. We have the following files:

-rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf

I download all of them with get.

As I skim through them Ill copy+paste what I deem potentially useful here:

Best regards,
Samantha Wood
HR Manager

+44 7583 433 434
10 Downing St, London
SW1A 2AA, United



If I grep for passwords using grep -Ri passw . we get:


Lets see if any of the users we found used this password for ssh. By checking the passwd file that was archived, we see a user "netadmin". We can successfully SSH in using netadmin:VeRyUniUqWiFIPasswrd1!

Priv esc

Some interesting output from pspy:

/usr/sbin/hostapd_cli -i wlan0 wps_pin any 12345670 0 

/bin/bash /usr/local/bin/wps_check.sh