HackTheBox: Wifinetic
01/13/2024
This was released straight to "retired" as a VIP only box. Its user-rated as extremely easy, and the user blood was literally 1 second.
Enumeration
nmap shows three ports open: 21 (FTP), 22 (SSH), and 53 (DNS).
FTP evidently allows anonymous logins, because I was able to sign in as follows:
ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:kali): ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
The DNS server is apparently using software called "tcpwrapped".
Back to the FTP server. We have the following files:
-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf
I download all of them with get
.
As I skim through them Ill copy+paste what I deem potentially useful here:
Best regards,
Samantha Wood
HR Manager
samantha.wood93@wifinetic.htb
info@wifinetic.htb
+44 7583 433 434
wifinetic.htb
10 Downing St, London
SW1A 2AA, United
Kingdom
@wifinetic
management@wifinetic.htb
olivia.walker17@wifinetic.htb
If I grep for passwords using grep -Ri passw .
we get:
VeRyUniUqWiFIPasswrd1!
Lets see if any of the users we found used this password for ssh. By checking the passwd
file that was archived, we see a user "netadmin". We can successfully SSH in using netadmin:VeRyUniUqWiFIPasswrd1!
Priv esc
Some interesting output from pspy:
/usr/sbin/hostapd_cli -i wlan0 wps_pin any 12345670 0
/bin/bash /usr/local/bin/wps_check.sh