Machine Synopsis

`AirTouch` is a medium-difficulty Linux machine built around a wireless attack path initiated from a consultant workstation. Starting with SNMP enumeration, valid credentials for the consultant account can be recovered, granting access to a workstation that contains multiple wireless interfaces. From there, two relevant wireless networks are identified: `AirTouch-Internet` (protected with WPA-PSK) and `AirTouch-Office` (protected with WPA-EAP). The first objective is to compromise the PSK network by capturing and cracking a handshake. After decrypting the captured traffic, the attacker extracts an HTTP session cookie that grants access to an internal router interface. By tampering with the role information in the cookie, the attacker gains administrative access to the web panel and abuses an insecure upload mechanism to achieve remote code execution. This leads to SSH access on the PSK access point and the recovery of certificates needed for the second phase of the attack. With valid certificates, the attacker creates a rogue enterprise access point for `AirTouch-Office` and forces clients to connect to it by repeatedly deauthenticating them from both legitimate APs. Through this process, MSCHAPv2 material is captured and can be cracked. After joining the management network, the attacker accesses the remote host and discovers additional credentials in the `hostapd` configuration. These credentials enable pivoting into a privileged administrative account capable of using `sudo`, leading to full compromise.