Official WifineticTwo Discussion

why i can’t get shell? I think I’m doing everything right

Good to I know that’s the way forward, I was kinda squeamish about trying to go through the actual exploit payload because of all the WebKit boundary gibberish that’s in there

1 Like

Can you tell me where I should put the wifi password?

Just finished this challenge. This box is VERY unstable, and breaks often. I wonder how people are gonna solve this if they don’t have a VIP sub.

For this box, I’ll suggest reading primers about Wifi, and knowing what’s actually happening when you’re running tools. Don’t be a script kiddie.

Here’s some actually useful hints:

User (foothold):

Perform an NMAP scan, you’ll discover a web service running. This service is a web interface to manage industrial computers called PLCs. You’ll need credentials to authenticate. Fortunately, it uses default ones. Google for it.

After authenticating, Google for known vulnerabilities. You’ll find one. Use it to get foothold shell. Don’t go for POC. It won’t work. Just understand what it’s trying to do, then do it manually yourself (REMEMBER to skip the injection() part)

Root:

The name of the box should hint at the next step. Wifi.

Find out if you have any wireless network interface attached to the foothold box.

Use this to scan for available Wifi networks. You’ll find one with WEP enabled. Perform a very known attack to get credentials for it.

Then connect to it.

Once done, you now have a whole new internal network. Do a pingsweep. You’ll find another host with SSH running. Try your luck with authenticating straight with root.

6 Likes

Google into how to use wpa_supplicant to connect to a WPA/WPA2 wireless network.

is wifi password openplc ???

wpa_supplicant works correctly, but wpa_cli fails, it can’t find the wps_supplicant instance. Any ideas?

I got user flag and am trying to run oneshot to perform a pixie dust but I am having a problem compiling my oneshot.c script on the machine. I use “gcc -o oneshot oneshot.c” to compile it, it returns “collect2: fatal error: cannot find ‘ld’ ; compilation terminated.”.
The ld file is in /usr/bin/ which is on my $PATH, so that’s not the problem.

Anyone with the same issue or anyone knows what could it be?
Thanks

should i guess password of router or try an deauth attack .HELP

don’t need to compile, get python code from github

1 Like

Hello can’t get connect on the wifi , i can’t test on my kali which is on virtuelbox

anyone got these errors when connecting ?

sudo wpa_supplicant -D wext,nl80211 -i wlan0 -c /etc/wpa_supplicant/wpa-supplicant-wlan0.conf

ioctl[SIOCSIWESSID]: Device or resource busy
wlan0: Association request to the driver failed
wlan0: Associated with 00:00:00:00:00:00
wlan0: CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=0

→ ok found too much wpa_supplicant process allready launched …just need to kill -9 …

just rooted; interesting VM, despite the crashes

how long is the tool that @tizdbl mentioned supposed to take? seems to go forever…

yeah!

why compiling it brother use python file
OneShot/oneshot.py at master · kimocoder/OneShot (github.com)

2 Likes

I really enjoyed this one, sadly needed the hints above about going after wifi. I got lost in a rabbit hole for a few hours trying to break out of the LXD container.

User: just poke at it a bit, its a little finicky but don’t overthink it, easier than I expected for medium. You can trigger manually after running the exploit, try to run all the things.

root: did you read the box name? its a little unintuitive because it does not follow the standard process for HTB vms.

1 Like

Root: I was able to crack it but could not get the address automatically. A nudge would be helpful

Very sad thing when your wlan0 can get the IP address automatically

when you do this
dhclient wlan0
your virtual machine freezes completely.

The only way to resolve this issue is to set the IP to wlan0 manually.

1 Like

Thank you very much sir, first time dealing with the service running in the root part. Your hints really helped me to complete the machine.

1 Like

Hello, i think i’m stuck. I have user flag, but now i try poke around wlan0/wifi etc. The network which i found has ESSID:“plcrouter”, it is rabbit hole ? Should i gain psk key by brute-force method? Every time when i try connect to wireless network (over wpa_supplicant) i have info about “wrong pre-shared key”