Objective: Dosis Network Down Difficulty Level: 2
Drop by JJ's 24-7 for a network rescue and help restore the holiday cheer. What is the WiFi password found in the router's config? Location: JJ's 24-7

Solution Overview

Janusz tells us that the neighborhood's wifi has been sabotged by the gnomes who have changed the admin password and probably other settings as well. We have to take back what is ours.
Inspecting router login page's elements doesn't reveal much, however we are given a banner with hardware and firmware information on the bottom of the page. A quick search reveals an unauthenticated remote code Execution (RCE) vulnerability (CVE-2023-1389) in this very same platform!
We can leverage this vulnerability to execute commands on the router. To solve the challenge, the objective states that we have to find the password within the router's config files. We identify a nonstandard /etc/config directory, which contains a text file named wireless containing the password.

Activity Primary Tactic MITRE ATT&CK Technique ID MITRE ATT&CK Technique Name
Identify Firmware Version Discovery T1082 System Information Discovery
Exploit CVE-2023-1389 Initial Access T1190 Exploit Public-Facing Application
Execute Shell Commands Execution T1059.004 Command and Scripting Interpreter: Unix Shell
Extract Wireless Password Credential Access T1552.001 Unsecured Credentials: Credentials in Files

Detailed Solution

Click to expand

The challenge presents us with a local login page to an AX1800 WiFi 6 Router. This presents much like a simple single page web app with minimal content. The console gives us some small nudges along the way, but ultimately our breakthrough comes from observing the text located at the bottom of the login page: Firmware Version: 1.1.4 Build 20230219 rel.69802 Hardware Version: Archer AX21 v2.0.
Running a search for part or all of this string should direct the user towards CVE-2023-1389, an unauthenticated remote code execution (RCE) vulnerability affecting our target platform.
This vulnerability revolves around the write callback function of the country form, located at the /cgi-bin/luci/;stok=/locale endpoint. The country parameter in this form is used in a call to popen() in the backend, which ultimately runs as the root user. POST requests with data in the request body are not vulnerable, while requests with that same data included as request parameters are vulnerable. 


POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1  
Host: [target router]  
Content-Type: application/x-www-form-urlencoded  
operation=write&country=$(id>/tmp/out)


POST /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(ls%20/etc/config) HTTP/1.1  
Host: [target router]

When executing commands, we ultimately have to send each request twice. The first will return a 200 response with a single line reading OK, while the second will return the command output. With this as our foothold, we want to remember our objective of identifying login credentials from a configuration file. On most unix systems, the /etc/ directory serves as a directory for global or system-level configuration data. We send a series of requests to enumerate /etc/ before identifying the /etc/config directory, which is not a part of standard naming conventions. This directory contains the wireless text file, containing the password: SprinklesandPackets2025!. The screenshot below displays the contents of the /etc/config/wireless file:
Caido Replay /etc/config/wireless

Tools Reference

Tools Used Tool Version
Caido 0.54.1

Hints Reference

Provided By Hint
Santa You know ... if my memory serves me correctly .. there was a lot of fuss going on about a UCI (I forgot the exact term ...) for that router.
Santa I can't believe nobody created a backup account on our main router ... the only thing I can think of is to check the version number of the router to see if there are any ... ways around it ...

Acknowledgements

Provided By Notes
Mitch Darrow Mitch helped me to understand the nature of the challenge and he confirmed I was on the right path in solving!