Complete Walkthrough & Technical Report

1. Introduction

AirTouch is an easy-difficulty HackTheBox machine that simulates a multi-network environment with wireless VLANs. The objective is to pivot from an initial foothold on a consultant's machine through a tablet VLAN, then to a corporate VLAN, ultimately capturing the root flag. This walkthrough emphasizes real-world techniques: SNMP enumeration, WPA2-PSK cracking, router exploitation, certificate theft, and an evil twin attack against WPA2-Enterprise.

Key Learning Outcomes:

• UDP scanning and SNMP information leakage
• Wireless attacks with airodump-ng, aireplay-ng, and aircrack-ng
• Port forwarding and cookie manipulation
• Certificate-based evil twin attacks using EAPHammer
• MSCHAPv2 hash cracking with Hashcat
• Pivoting through multiple networks

2. Initial Access – SNMP Leak

2.1 UDP Scan

A standard TCP scan reveals only port 22 (SSH). To uncover hidden services, we perform a UDP scan:

sudo nmap -sU --top-ports 1000 <target_ip> -oN udp_scan.txt

Result: Port 161/udp (SNMP) is open.

2.2 SNMP Enumeration

SNMP versions 1 and 2c use community strings as passwords. The default read-only string is public. We use snmpwalk to query the system:

snmpwalk -v 2c -c public <target_ip> 1.3.6.1.2.1.1.5.0