HackTheBox: Wifinetic

01/13/2024

This was released straight to "retired" as a VIP only box. Its user-rated as extremely easy, and the user blood was literally 1 second.

Enumeration

nmap shows three ports open: 21 (FTP), 22 (SSH), and 53 (DNS).

FTP evidently allows anonymous logins, because I was able to sign in as follows:


ftp 10.10.11.247
Connected to 10.10.11.247.
220 (vsFTPd 3.0.3)
Name (10.10.11.247:kali): ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

The DNS server is apparently using software called "tcpwrapped".

Back to the FTP server. We have the following files:


-rw-r--r--    1 ftp      ftp          4434 Jul 31 11:03 MigrateOpenWrt.txt
-rw-r--r--    1 ftp      ftp       2501210 Jul 31 11:03 ProjectGreatMigration.pdf
-rw-r--r--    1 ftp      ftp         60857 Jul 31 11:03 ProjectOpenWRT.pdf
-rw-r--r--    1 ftp      ftp         40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar
-rw-r--r--    1 ftp      ftp         52946 Jul 31 11:03 employees_wellness.pdf

I download all of them with get.

As I skim through them Ill copy+paste what I deem potentially useful here:


Best regards,
Samantha Wood
HR Manager
samantha.wood93@wifinetic.htb

info@wifinetic.htb
+44 7583 433 434
wifinetic.htb
10 Downing St, London
SW1A 2AA, United
Kingdom
@wifinetic

management@wifinetic.htb

olivia.walker17@wifinetic.htb

If I grep for passwords using grep -Ri passw . we get:


VeRyUniUqWiFIPasswrd1!

Lets see if any of the users we found used this password for ssh. By checking the passwd file that was archived, we see a user "netadmin". We can successfully SSH in using netadmin:VeRyUniUqWiFIPasswrd1!

Priv esc

Some interesting output from pspy:


/usr/sbin/hostapd_cli -i wlan0 wps_pin any 12345670 0 

/bin/bash /usr/local/bin/wps_check.sh