Wifinetic — HTB Machine

Rishabh Rai
4 min readJan 2, 2024

IP copied and adventure starts!!

First things first we will start with nmap scan.

Here the part by part explanation of my nmap command i use to document my scan. On the side i run multiple nmap scans which are faster and give basic information such as.

nmap <IP>

nmap <IP> -p- — min-rate 1000

smaller and faster scans
documentation scan and complete package of information

As we can see in the big scan FTP anonymous login is open and the directory listing is also present. So the first step is to get all the files from there on our system to analyze.

To download everything or mirror the ftp server you can use the command:

wget -m ftp://<serverIP>

After analysis, this tar files seems interesting in particular, so upon extracting it using the tar command we can see a lot of config files present lets dig in and check for something useful.

Found key to Openwrt

here is the list of users

Note that netadmin is a user.
now we have a user password pair to try lets hope it works.

Voila it opened and there we have the user flag to the machine.

cat user.txt

To find the user root we have to dig in the network setup of the machine.

Okay, so to start with network related enumeration

I do,

ifconfig
iwconfig
netstat
systemctl

Upon going through all, I found some things

multiple interfaces such as

wlan0,wlan1,wlan2,mon0…….

wpa_supplicant.service
WPA- Wireless Protected Access

wlan0 is in master mode making it the acces point

wlan0 is being used as Access Point.

The iw (short for “wireless”) command is a command-line tool for displaying and manipulating wireless devices on Linux systems

So we will make use of this powerful tool to asses the wireless connections on the machine.

we have reaver which can be used for our advantage

To find the files with capabilities we use this command it is similar to the find command used to find SUID files

HERE is the link i used to get reference on the usage of reaver
>> https://www.kali.org/tools/reaver/

I tried some different command but it was not working

In order to find the BSSID I had to find a way around this:
in the previously used command “iw dev” I saw BSSID of various interafces. So I used the same command to retrive the same value for my use…
BSSID for wlan0 : 02:00:00:00:00:00

I first tried reaver command for wlan0 but then rea that we have to use the one in monitor mode so mon0 had to be used:

and with the WPA PSK we can login to root

THANK YOU for reading the article and follow to stay tuned for more write ups coming ahead……
A great way to start the year……… Happy New Year 🥳

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.