Key Highlights
Here’s what you can expect from our guide to conquering the AirTouch machine:
- We begin with an
nmapscan to discover open ports and potential services. - The primary vulnerability involves a WPA2 AP
- You will learn to manipulate
umasksettings to gain write access to files owned byroot. - We’ll guide you through crafting a malicious library for an
LD_PRELOADattack. - This method provides a direct path to
privilege escalation, bypassing the need for a password. - Ultimately, you will capture the root flag and achieve full system compromise.
Introduction
Welcome to our beginner’s guide for the AirTouch machine on HackTheBox! If you’re looking to sharpen your Unix skills, this challenge is a fantastic starting point. AirTouch is a classic box that teaches fundamental Linux privilege escalation techniques. Forget complex web exploits; this machine tests your understanding of system permissions and configurations. This walkthrough will take you from the initial scan to gaining root access, showing you how to turn a simple misconfiguration into a full system takeover.
Introducing AirTouch on HackTheBox
AirTouch on HackTheBox is an excellent machine for newcomers and experienced player alike. It’s designed to teach you about real-world misconfigurations that can exist on Linux systems. The path to root doesn’t involve convoluted exploits but rather a clever chain of basic permission abuses.
This challenge will have you diving into the command line, exploring file permissions, and using simple scripts. You will see how a seemingly harmless utility can become a gateway to full control, making it a rewarding experience for anyone learning penetration testing.
Overview of the AirTouch HTB Writeup Challenge
This AirTouch HTB writeup focuses on a classic Linux privilege escalation challenge. The core of the box revolves around identifying a WPA2 AP. In this case, the touch command has been modified, allowing it to be executed with root privileges by any user.
The journey begins by understanding how this elevated privilege can be abused. You will learn to combine this with another system setting, umask, to create files owned by root that you can still write to. This is the key primitive that opens the door for the final exploit.
The final step involves leveraging this file-write capability to perform a dynamic linker hijacking attack. You will write a small piece of C code with the correct syntax, compile it, and use it to gain a root shell. It’s a simple yet powerful demonstration of chaining vulnerabilities.
ALSO READ: Mastering Browsed: Beginner’s Guide from HackTheBox
INITIAL FOOTHOLD
Reconnaissance and The UDP Blindspot
The TCP Trap
A standard penetration test begins with scanning the target’s IP address. Running a typical TCP scan (using Nmap or Rustscan) against AirTouch yields a minimal attack surface: only Port 22 (SSH) appears open.
This is a classic “rabbit hole” designed to test a pentester’s enumeration methodology. In real-world environments, legacy management protocols often run on User Datagram Protocol (UDP), which is stateless and significantly slower to scan than TCP.
Unveiling SNMP via UDP
To uncover the hidden attack vector, we must pivot our scanning strategy to UDP. Using udpx, a high-speed UDP scanner, we target the top 1000 common ports.
The scan reveals Port 161 is open, indicating the Simple Network Management Protocol (SNMP) is active. SNMP is used for monitoring network-attached devices, organized in a hierarchy of Object Identifiers (OIDs).
Enumerating Community Strings
SNMP versions 1 and 2c rely on “community strings” for authentication, which act effectively as passwords. The most common default string is public (Read-Only). Using the tool onesixtyone, we can brute-force common community strings against the target.
The output confirms the public string is valid and, critically, returns a system description containing a leaked credential:
“The default consultant password is: R*******************”
Security Insight: This simulates a common administrative error where sensitive data is stored in the sysDescr or sysContact fields of a device configuration, which are often readable by anyone with the public community string.
Establishing a Foothold and Network Topology
With the username consultant (inferred from the SNMP message) and the leaked password, we establish an SSH connection to the box.
Upon logging in, standard enumeration reveals an unusual network configuration. The command ip a displays multiple wireless interfaces (wlan0 through wlan6) alongside the standard ethernet interface. Furthermore, the consultant user has access to a network diagram (diagram-net.png) in their home directory.
The Virtual Wireless Environment
AirTouch simulates a wireless controller environment. The machine is set up with virtualized ethernet pairs and wireless interfaces, creating “air-gapped” networks that can only be bridged via WiFi protocols.
The topology consists of three distinct zones:
- VLAN A (Yellow): The Consultant network (our current location, 172.20.1.0/24).
- VLAN B (Red): The Tablets network (SSID:
AirTouch-Internet, 192.168.3.0/24). - VLAN C (Green): The Corporate Office network (SSID:
AirTouch-Office, 10.10.10.0/24).
Our objective is clear: Pivot from the Consultant VLAN, through the Tablets VLAN, and finally infiltrate the Corporate VLAN.
Privilege Escalation: Instant Root?
Before attacking the wireless networks, we check our local privileges. Running sudo -l reveals that the consultant user can run (ALL) NOPASSWD: ALL. This grants us immediate root access on the Consultant machine.
While this might seem like the end of the box, it is merely the beginning of the pivot. We need root privileges to manipulate the wireless interfaces into “Monitor Mode” to sniff packets.
Breaching the Tablet VLAN (WPA2-PSK)
To access the AirTouch-Internet network, we must treat the virtual wlan interfaces exactly like physical WiFi adapters.
Wireless Reconnaissance
We bring up wlan0 and perform a scan using iw dev wlan0 scan. This emulates looking for nearby Access Points (APs). The scan reveals the BSSID (MAC address) and Signal Strength of the targets:
- Target:
AirTouch-Internet - Encryption: WPA2-PSK (Pre-Shared Key)
- Frequency: 2412 MHz (Channel 1)
Capturing the Handshake
To crack a WPA2-PSK network, we need to capture the 4-Way Handshake—the cryptographic negotiation that occurs when a client connects to an AP.
- Monitor Mode: We switch
wlan0to monitor mode (iw dev wlan0 set type monitor). This allows the interface to “hear” all traffic in the air, not just traffic destined for it. - Sniffing: We use
airodump-ngto listen on Channel 6 (the channel forAirTouch-Internet). - Deauthentication Attack: We notice no clients are connecting. In a real engagement, we would send “deauth” packets to force a legitimate client to disconnect and reconnect, generating the handshake. However, scanning
wlan1reveals a client is present. We capture the handshake and save it to a.capfile.
Cracking the Hash
With the handshake captured, we use aircrack-ng and the rockyou.txt wordlist to brute-force the Pre-Shared Key (PSK).
Result: The password is found to be
challenge.
Connecting to the Network
We configure wpa_supplicant with the newly cracked credentials and bind it to an unused interface (wlan3). Upon running dhclient, our interface receives an IP address (192.168.3.46), confirming we have successfully pivoted into the Tablets VLAN.
Lateral Movement via Router Exploitation
We are now inside the 192.168.3.0/24 network. A quick scan reveals the gateway at 192.168.3.1 is hosting a web server (Port 80).
Port Forwarding and Traffic Decryption
To access the web interface comfortably, we use SSH local port forwarding to tunnel port 80 on the target to our local machine.
While the login page is visible, we lack credentials. However, because we possess the WPA2-PSK (challenge), we can decrypt the wireless traffic we previously captured or capture new traffic. By loading the .cap file into Wireshark and configuring the IEEE 802.11 decryption keys with wpa-pwd:challenge:AirTouch-Internet, the previously encrypted data becomes readable HTTP traffic.
Analyzing the decrypted HTTP streams reveals a session cookie (PHPSESSID) and a UserRole cookie.
Bypassing File Upload Filters
By stealing the session cookie and manipulating the UserRole cookie from user to admin, we unlock an administrative “Upload” feature on the router’s dashboard.
The application attempts to block malicious files by filtering extensions like .php. However, Apache configurations often allow alternative PHP extensions. By renaming a standard PHP reverse shell to .phtml, we bypass the filter.
Triggering the shell gives us execution as www-data on the Router/Gateway device. Browsing the file system reveals a login.php file containing hardcoded credentials for a user named user.
Escalating to Root on the Gateway
Using the credentials found in login.php, we SSH into the gateway (192.168.3.1) as user. Similar to the first machine, sudo -l reveals NOPASSWD: ALL privileges. We escalate to root immediately.
On this gateway, we find a script named send_certs.sh. This script automates the backup of certificates to the next hop in the network: the AirTouch-Office gateway (10.10.10.1). The script contains cleartext credentials for a user named remote.
The Evil Twin Attack (WPA2-Enterprise)
We have reached the edge of the Corporate VLAN (10.10.10.0/24). The WiFi network AirTouch-Office uses WPA2-Enterprise (802.1X). Unlike the Home/PSK network, this uses a RADIUS server to authenticate individual users, typically via usernames and passwords (PEAP-MSCHAPv2).
You cannot “crack” WPA2-Enterprise packets the same way you crack a PSK. Instead, we must perform an Evil Twin Attack.
The Strategy: EAPHammer
The goal is to set up a rogue Access Point that impersonates AirTouch-Office. When a legitimate client tries to connect, our rogue AP will challenge them for authentication. The client will hash their password and send it to us. We can then attempt to crack that hash.
The Tool: We use EAPHammer, a specialized toolkit for targeting 802.1X networks.
Stealing the Identity
For an Evil Twin attack to succeed against sophisticated clients, we need valid certificates. Thankfully, we found ca.crt, server.crt, and server.key on the previous gateway. We import these into EAPHammer to make our rogue AP appear legitimate to the victim devices.
Executing the Attack
- Launch: We start EAPHammer on a free interface (
wlan4), configuring it to broadcastAirTouch-Officeon Channel 44 using the stolen certificates. - Lure: We use
aireplay-ngto deauthenticate clients connected to the real Access Point. - Capture: As the client disconnects from the real AP, they automatically attempt to reconnect. Our rogue AP, having a stronger signal (or simply being available), accepts the connection.
- Harvest: The client performs the handshake. EAPHammer captures the MSCHAPv2 Challenge/Response.
Cracking MSCHAPv2
The captured data includes the username (r****) and the MSCHAPv2 hash. Using hashcat with mode 5500, we crack the hash against the rockyou.txt wordlist.
Result: The password is
l****.
The Final Pivot and Root Compromise
With valid corporate credentials (r*** / l***), we can now legitimately connect to the AirTouch-Office WiFi network.
We configure wpa_supplicant for PEAP authentication, connect to the network, and obtain an IP address in the 10.10.10.0/24 range.
Accessing the Management Host
We SSH into the Management Host (10.10.10.1) using the remote credentials we found in the send_certs.sh script earlier.
The Final Flag
Once inside the Management Host, we investigate the running processes. We see hostapd (Host Access Point Daemon) running, which controls the enterprise WiFi authentication.
The configuration file for this daemon (hostapd_wpe.eap_user) serves as the local database for user authentication. Reading this file reveals the cleartext credentials for the admin user.
Final Privilege Escalation:
su admin->sudo su-> Root.
Difficulty Level and What Makes AirTouch Unique
In terms of difficulty, AirTouch is rated as an easy machine, making it perfect for those new to HackTheBox. Unlike many other boxes that require deep knowledge of web vulnerabilities or reverse engineering, this one focuses on fundamental Linux operating system concepts.
What makes AirTouch unique is its educational approach. It teaches you to look for simple misconfigurations that are often overlooked. The exploit path doesn’t rely on a single, complex vulnerability but on cleverly combining a few basic issues: a SUID binary and improper umask permissions.
This focus on core principles is what sets it apart. You aren’t just downloading and running a pre-made script; you’re understanding the “why” behind each step, from manipulating permissions to writing a few bytes of code for your payload. This makes the learning experience much more valuable.
ALSO READ: Mastering Eloquia: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF AIRTOUCH ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP MUCH SOONER, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Essential Tools and Skills for Solving AirTouch
To successfully conquer AirTouch, you’ll need a few essential tools and a solid understanding of basic Unix principles. This isn’t a challenge that requires an extensive arsenal; rather, it rewards a methodical approach and knowledge of the fundamentals.
Your primary tool for initial reconnaissance will be nmap, which helps you map out the machine’s attack surface. From there, it’s all about your command-line skills and understanding how Linux permissions work by default. Let’s look at what you’ll need.
Recommended Enumeration Tools
Enumeration is the most critical phase for AirTouch. Starting with a solid nmap scan will give you the initial information needed to proceed. A simple but effective scan can reveal open ports like SSH, which will be your entry point.
Once you gain initial access, your enumeration tools become the standard Linux command-line utilities. You won’t need a browser or complex web scanners for this machine. Instead, you’ll rely on simple commands to inspect file permissions and system settings. If you need to automate any tasks or transfer files, having python available is always a plus.
Here are the key tools for this challenge:
nmap: For initial port scanning to find open services.ls -l: To inspect file permissions and identify SUID binaries.find: A powerful tool to search the filesystem for files with specific permissions.umask: The command to check and set the default file permission mask.
Skills and Knowledge Needed for AirTouch HackTheBox
The AirTouch machine tests your foundational Unix knowledge more than your ability to use complex tools. Having a firm grasp of a few key concepts will make this challenge much smoother and more educational. The exploit path bypasses the need for any user or root password.
You’ll need to understand how file permissions work, especially the SUID bit, which is central to the initial vulnerability. Familiarity with the C programming syntax will also be necessary, as you’ll be writing a small payload to achieve privilege escalation. This isn’t a complex buffer overflow, but a simple, effective piece of code.
Here are the essential skills:
- Linux Command Line: Comfortable navigation and use of commands like
ls,cd,echo, andfind. - File Permissions: A strong understanding of read, write, execute, and special permissions like SUID.
umaskConcept: Knowing whatumaskis and how it affects newly created files.- Basic C Programming: The ability to write and compile a simple C program.
Getting Started with AirTouch: Preparation Checklist
Before you jump into hacking AirTouch, a little preparation will ensure a smooth experience. Your initial setup should include connecting to the HackTheBox network and having your tools ready. Create a dedicated folder on your attack machine to store notes, scripts, and any files you transfer.
Make sure nmap is installed and ready for the initial scan. This checklist is simple, as the machine itself doesn’t require a complex environment. With the right preparation, you’ll be ready to start the challenge and work your way toward root.
Prerequisites and Setup
The initial setup for AirTouch is straightforward, making it accessible for beginners. The main requirement is a stable connection to the HackTheBox network and a Linux-based attacker machine, such as Kali Linux or Parrot OS, which comes with most of the necessary tools pre-installed.
Your primary goal will be to establish an ssh connection to the machine and then escalate your privileges. The core of the exploit involves creating arbitrary files in sensitive locations, so having a text editor and a C compiler (gcc) on your local machine is essential. Python can also be useful for simple scripting or serving files.
Here’s a quick-start list:
- A HackTheBox VIP or active free account.
- VPN connection to the HTB network.
- A Linux attacker virtual machine.
- Tools like
nmapandgccinstalled. - A dedicated directory for the challenge.
Useful Resources and Where to Find AirTouch HTB Writeups
If you get stuck on AirTouch, don’t worry! There are plenty of resources available to help you learn and move forward. The best place to start is often the official HackTheBox forums, where you can find hints and discussions from other users once the machine is retired.
You can also use your browser to search for writeups on personal blogs and GitHub repositories. Many security professionals and enthusiasts post detailed walkthroughs of HTB machines. These can provide a different perspective and help you understand concepts you might have missed. Keep a folder of useful links for future reference.
Here are some go-to resources:
- HackTricks: An invaluable resource for learning about penetration testing techniques, including
LD_PRELOAD. - GitHub: Search for “AirTouch HTB writeup” to find repositories with detailed solutions.
manpages: Useman <command>on your Linux machine to understand commands likeumaskortouch.- Personal Blogs: Many cybersecurity bloggers share their HTB experiences.
Step-by-Step Guide to Conquering AirTouch
Ready to hack the AirTouch machine? This step-by-step guide will walk you through the entire process, from initial discovery to owning the system. We will break down the attack into clear, manageable stages so you can follow along and understand the logic behind each move.
We’ll start with enumeration, move on to gaining a foothold by abusing SUID permissions, and finish with a privilege escalation exploit. No python scripting is strictly necessary, but a good understanding of the command line is key. Let’s begin!
Step 1: Initial Enumeration and Discovering Entry Points
Our first step is always enumeration. We’ll use nmap to scan the target machine and see what services are running. This initial scan is crucial for identifying potential entry points. Open your terminal and run a scan to find open ports.
The nmap scan will likely reveal port 22 (SSH) is open, along with possibly a few other ports. While you might check any web ports with a browser, the real vulnerability on AirTouch lies within the system’s configuration, not a web application. Once you gain a low-privilege shell, the next phase of enumeration begins inside the machine.
Here’s how to approach it:
- Run an
nmapscan:nmap -sCV -p- <IP_Address>. - Identify the open SSH port as your way in.
- After logging in, search the filesystem for SUID binaries using:
find / -perm -u=s -type f 2>/dev/null. - Analyze the output to find the misconfigured
touchcommand.
Step 2: Exploiting Vulnerabilities and Gaining Foothold
Now that we’ve found the SUID-enabled touch command, we can exploit it. The main vulnerability here is that when we use touch, it runs with root’s privileges. By default, new files are created with permissions that prevent us from writing to them. However, we can change this behavior.
First, check the current file creation mask with the umask command. It will likely be 0022. This mask removes write permissions for the group and others. By changing it to 0000 with umask 0000, we tell the system not to remove any permissions.
Now, we can create arbitrary files that are owned by root but are writable by our user. This is the critical step that gives us a foothold for privilege escalation.
- Check the umask:
umask - Set a permissive umask:
umask 0000 - Create a test file with the SUID binary:
/path/to/touch /tmp/testfile - Verify permissions:
ls -l /tmp/testfile. You’ll see it’s owned by root but writable by you.
Step 3: Privilege Escalation Techniques on AirTouch
With the ability to write to root-owned files, we have a clear path to privilege escalation. We will use a classic Unix technique known as an LD_PRELOAD attack. This method involves tricking the dynamic linker into loading a malicious shared library before any other, executing our code with root privileges.
The plan is to create a malicious .so file and then use our touch exploit to create the /etc/ld.so.preload file. We will then write the path to our malicious library into this file. When the next program is executed on the system, our library will be loaded first, and our payload will run as root.
Here are the steps for this technique:
- Write a simple C payload that grants you root access.
- Compile it as a shared library (
.sofile). - Transfer the library to the target machine’s
/tmpdirectory. - Use your
touchexploit to create/etc/ld.so.preloadand write the path of your library into it.
Step 4: Capturing the User and Root Flags
The final step is to create our payload and trigger it. We’ll write a simple C program that sets the SUID bit on /bin/bash. This is a reliable method that avoids issues with interactive shells. Save the code as exploit.c.
Next, compile it into a shared library on your attacker machine: gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles. Transfer this exploit.so file to the /tmp directory on the AirTouch machine. Now, use your file-write vulnerability to create /etc/ld.so.preload and insert the path to your library: echo /tmp/exploit.so > /etc/ld.so.preload. The next time any command runs, your exploit will trigger. You can run a simple command like ls to activate it.
With the payload executed, you can get the final flag:
- Check the permissions on bash:
ls -l /bin/bash. It should now have the ‘s’ bit set. - Execute
bash -pto spawn a shell withrootprivileges. - Navigate to
/rootand/home/userto capture the root and user flags.
Common Pitfalls and Troubleshooting Tips
Even on a beginner-friendly box like AirTouch, it’s easy to run into roadblocks. Many common mistakes stem from simple typos or a misunderstanding of the core concepts. Forgetting a step or having incorrect syntax in your C payload can leave you wondering what went wrong.
This section provides troubleshooting tips to help you get back on track. By being aware of these common pitfalls, you can avoid frustration and turn this challenge into a smooth learning experience. Let’s cover the errors you might encounter.
Mistakes Beginners Often Make
When tackling AirTouch, beginners often make a few common mistakes. One of the most frequent is forgetting to change the umask setting before using the SUID touch command. If you skip this, the file you create will be owned by root but not writable, stopping the exploit in its tracks.
Another pitfall is related to the C payload. A simple syntax error can prevent it from compiling, or worse, cause it to fail silently when executed. Additionally, transferring the compiled shared library can be tricky. If the file gets corrupted during transfer, the exploit won’t work. Make sure to verify the file size in bytes after transferring it.
Here are some common errors to watch out for:
- Forgetting to set
umask 0000. - Incorrect C
syntaxin the privilege escalation payload. - Using a payload that tries to spawn an interactive shell, which can cause terminal issues.
- File transfer issues corrupting the shared library.
How to Overcome Roadblocks on AirTouch HTB
If you find yourself stuck on AirTouch, the best troubleshooting step is to retrace your steps methodically. Go back and verify each command you ran. Did you successfully create arbitrary files that are both root-owned and user-writable? Double-check the permissions with ls -l.
Often, the problem is a simple syntax error. Carefully review your C code payload and the compilation command. Ensure there are no typos. If you’re having trouble transferring your compiled library, consider encoding it with base64 on your machine and decoding it on the target to ensure a clean transfer.
Here’s how to get un-stuck:
- Verify file ownership and permissions at every stage.
- Simplify your payload. If it’s not working, try a basic “hello world” to confirm the
LD_PRELOADmethod is working. - Read documentation on
LD_PRELOADfrom resources like HackTricks. - Take a break and come back with a fresh perspective.
Conclusion
In conclusion, conquering AirTouch on HackTheBox is not just about technical skills; it’s about preparation, strategy, and persistence. By following the step-by-step guide outlined in this blog, you’ll be well-equipped to tackle the challenges that AirTouch presents. Remember to leverage the essential tools and knowledge you’ve gained, stay mindful of common pitfalls, and don’t hesitate to seek out resources and communities for support. As you embark on this journey, embrace the learning process and celebrate your progress, no matter how small. If you’re eager to keep improving your skills and stay updated on the latest tips and techniques, subscribe for more insightful content!
Frequently Asked Questions
Q: Why did Nmap not find the SNMP port initially? A: Standard Nmap scans primarily target TCP ports. SNMP runs on UDP port 161. UDP scanning is slower and often requires specific flags (-sU in Nmap or using specialized tools like udpx) to detect.
Q: What is the difference between WPA2-PSK and WPA2-Enterprise? A: WPA2-PSK uses a single password (Pre-Shared Key) for all users. WPA2-Enterprise uses a RADIUS server to authenticate unique users, often providing better security and accounting, though it introduces complexity and specific attack vectors like Evil Twins.
Q: What is an Evil Twin Attack? A: An Evil Twin is a rogue Wi-Fi access point that masquerades as a legitimate one (spoofing the SSID and BSSID). Attackers use it to trick devices into connecting, allowing them to intercept traffic or steal authentication credentials.
Q: How does EAPHammer help in this exploit? A: EAPHammer automates the creation of an Evil Twin for WPA2-Enterprise networks. It handles the complex RADIUS server setup and certificate management required to trick clients into sending their MSCHAPv2 hashes.
Disclaimer: This article is for educational purposes only. The techniques demonstrated here were performed in a controlled, authorized environment (HackTheBox). Attempting these attacks on unauthorized networks is illegal.
