~ / foobarto.me / htb-machines
--:--:-- UTC
~ / htb-machines / wifinetic.md

wifinetic

Linux · Easy · released 2023-09-16 · retired 2023-09-13

Summary

Wifinetic is an Easy Linux box that chains two classic credential-hygiene failures into root. The first failure is an anonymous FTP server serving a raw system backup that contains the device’s own wireless configuration, including the WPA pre-shared key in plaintext. The second failure is password reuse: the same PSK is also the OS password for the netadmin account. Once on the box, privilege escalation relies on a Linux file capability granted to the reaver binary rather than a traditional sudo rule.

The FTP exposure matters because OpenWrt backup archives are intended for disaster recovery — they capture the complete running configuration of a router or wireless device, including secrets. Making that archive available over anonymous FTP means any network-reachable host can retrieve it without credentials. The wireless configuration file (etc/config/wireless) stores the WPA PSK as a plaintext option key value, so extracting the PSK requires only unpacking the archive.

The privilege escalation is possible because /usr/bin/reaver has the cap_net_raw file capability set. File capabilities allow a binary to retain specific kernel privileges when executed by an unprivileged user, without needing setuid or sudo. cap_net_raw permits the process to send and receive raw network frames, which is exactly what WPS brute-forcing requires. The host exposes a simulated AP (wlan0) with WPS enabled and a monitor-mode interface (mon0) ready for injection. Reaver recovered the WPS PIN and the WPA PSK of that AP — a PSK also configured as root’s login password, completing the chain.

Recon

nmap -p- --min-rate 5000 -Pn -oA scans/alltcp <TARGET>
nmap -sCV -p 21,22,53 -Pn -oA scans/services <TARGET>

21/tcp     open   vsftpd 3.0.3 (anonymous login allowed)
22/tcp     open   OpenSSH 8.2p1 Ubuntu
53/tcp     open   tcpwrapped

The anonymous FTP server is immediately interesting because it exposes files without credentials. Listing the directory revealed both the OpenWrt backup archive (backup-OpenWrt-2023-07-26.tar) and some project PDF files. The backup archive is the critical artifact: OpenWrt backup tarballs preserve the full /etc tree of the device, which includes interface configuration, user accounts, and wireless keys. The presence of a netadmin account was also visible in etc/passwd inside the archive.

Port 53 was TCP-wrapped and produced no useful information. The wlan0 interface operating in AP mode is not visible from a port scan but becomes evident once on the box via iw dev, which also reveals the monitor interface mon0 that reaver needs for frame injection.

Foothold — anon FTP backup → SSH

Anonymous FTP login requires no credentials by definition, but the value of the access depends entirely on what the server exposes. Here it exposes an OpenWrt backup archive — a tar of the device’s /etc directory. OpenWrt stores wireless configuration in /etc/config/wireless, and WPA pre-shared keys are written as plaintext option key values in that file. Extracting the archive and grepping for psk recovers the key immediately. Because that same PSK was configured as the OS password for netadmin, SSH access follows without any further exploitation.

ftp anonymous@<TARGET>
# ls → backup-OpenWrt-2023-07-26.tar

tar xf backup-OpenWrt-2023-07-26.tar
grep -r 'psk\|option key' .
# etc/config/wireless: option key '<PSK>'

ssh netadmin@<TARGET>
# Password: <PSK>

User flag

The SSH session lands as netadmin. The user flag is in the home directory and is readable immediately:

cat /home/netadmin/user.txt

No privilege escalation is required for the user flag.

Privesc — reaver WPS + cap_net_raw

Standard privilege escalation enumeration with getcap -r / 2>/dev/null reveals that /usr/bin/reaver carries the cap_net_raw+ep file capability. This means any user can run reaver and it will have the raw socket access it needs for WPS attacks, with no sudo required. iw dev confirms the host has both an AP-mode interface (wlan0, BSSID 02:00:00:00:00:00) and a monitor-mode interface (mon0). The AP has WPS enabled, making it a target for PIN brute-forcing.

Reaver’s WPS PIN attack works by iterating through possible 8-digit PINs. WPS splits validation into two independent 4-digit halves, which reduces the brute-force space significantly. On this box the direct PIN recovery path completed and yielded the WPA PSK of the simulated AP. That PSK was also configured as root’s Linux password, so su - with that PSK completed the privilege escalation.

getcap -r / 2>/dev/null
# /usr/bin/reaver = cap_net_raw+ep

iw dev
# Interface mon0   (monitor mode)
# Interface wlan0  type AP addr 02:00:00:00:00:00

reaver -i mon0 -b 02:00:00:00:00:00 -c 1 -vv
# [+] WPS PIN: '<PIN>'
# [+] WPA PSK: '<root-psk>'

su -
# Password: <root-psk>

Why each step worked

Anonymous FTP servers are often configured for convenience rather than security, with operators assuming the exposed files are “safe” because they are already public. OpenWrt backup archives violate that assumption badly: they are the operational snapshot of a running device, and the device’s own secrets — wireless keys, credentials, interface configuration — are captured verbatim. There is no encryption or access control on the tar contents. The backup format was designed for restoration, not for safe external distribution.

Password reuse between the wireless PSK and a Linux account password is a failure of credential compartmentalization. A WPA PSK and an OS login password serve entirely different purposes and face entirely different threat models, but humans and automated provisioning systems frequently set them to the same value for convenience. Recovering one is sufficient to recover the other.

The cap_net_raw file capability on reaver represents a case where a capability grant designed to avoid running a tool as root creates the same risk. Linux file capabilities allow a binary to retain specific kernel privileges when executed by any user. For a tool like reaver whose entire purpose is to perform a targeted wireless attack, granting cap_net_raw+ep globally is functionally equivalent to giving every user on the system the ability to interact with the wireless stack at the frame level.

WPS was designed to simplify wireless onboarding but introduced a structural authentication weakness: the 8-digit PIN is validated in two independent 4-digit halves, reducing the brute-force space from 10^8 to roughly 11,000 guesses. The simulated AP on Wifinetic has WPS enabled and responds to the full PIN exchange, so reaver can enumerate the space and recover the PIN along with the WPA PSK the AP uses. That PSK, reused as root’s Linux password, completes the escalation.

Counterfactuals

Removing the anonymous FTP exposure is the highest-impact single fix: without unauthenticated access to the backup archive, the PSK is never recovered and the entire chain collapses at step one. If FTP must remain for operational reasons, the backup archive should be served only to authenticated users, or better, stored outside the FTP root entirely.

Eliminating PSK reuse as a Linux password breaks the chain even if the backup is obtained. The WPA PSK and the OS password should be independent credentials: recovering one should provide no information about the other. A password manager or secrets vault used during provisioning enforces this discipline automatically.

Disabling WPS on the simulated AP removes the privilege escalation vector even if an attacker has already reached the netadmin account. If WPS is disabled, reaver has no exchange to participate in and cannot recover any PSK. Separately, removing the cap_net_raw capability from the reaver binary (or removing reaver entirely if it is not operationally needed) prevents unprivileged users from conducting wireless frame-level interactions regardless of the AP’s WPS configuration.

Key Takeaways

References

← all htb machines hackthebox.com ↗