Wifinetic — HTB Machine
IP copied and adventure starts!!
First things first we will start with nmap scan.
Here the part by part explanation of my nmap command i use to document my scan. On the side i run multiple nmap scans which are faster and give basic information such as.
nmap <IP>
nmap <IP> -p- — min-rate 1000
As we can see in the big scan FTP anonymous login is open and the directory listing is also present. So the first step is to get all the files from there on our system to analyze.
To download everything or mirror the ftp server you can use the command:
wget -m ftp://<serverIP>
After analysis, this tar files seems interesting in particular, so upon extracting it using the tar command we can see a lot of config files present lets dig in and check for something useful.
Found key to Openwrt
Note that netadmin is a user.
now we have a user password pair to try lets hope it works.
Voila it opened and there we have the user flag to the machine.
To find the user root we have to dig in the network setup of the machine.
Okay, so to start with network related enumeration
I do,
ifconfig
iwconfig
netstat
systemctl
Upon going through all, I found some things
multiple interfaces such as
wlan0,wlan1,wlan2,mon0…….
wpa_supplicant.service
WPA- Wireless Protected Access
wlan0 is being used as Access Point.
The iw (short for “wireless”) command is a command-line tool for displaying and manipulating wireless devices on Linux systems
So we will make use of this powerful tool to asses the wireless connections on the machine.
To find the files with capabilities we use this command it is similar to the find command used to find SUID files
HERE is the link i used to get reference on the usage of reaver
>> https://www.kali.org/tools/reaver/
I tried some different command but it was not working
In order to find the BSSID I had to find a way around this:
in the previously used command “iw dev” I saw BSSID of various interafces. So I used the same command to retrive the same value for my use…
BSSID for wlan0 : 02:00:00:00:00:00
I first tried reaver command for wlan0 but then rea that we have to use the one in monitor mode so mon0 had to be used:
and with the WPA PSK we can login to root
THANK YOU for reading the article and follow to stay tuned for more write ups coming ahead……
A great way to start the year……… Happy New Year 🥳