HTB AirTouch

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html
• Blog Title: HTB: AirTouch
• Suggested Section: Network Services Pentesting -> 161/162 UDP - Pentesting SNMP; Pentesting Wifi -> WPA/WPA2 (handshake capture/deauth/crack + wpa_supplicant); Pentesting Web -> Cookies Hacking / Session Hijacking; Pentesting Web -> File Upload (extension blacklist bypass: .phtml)

🎯 Content Summary

Title/Context
HackTheBox “AirTouch” (Linux, Medium; released 2026-01-17, retired 2026-04-18) simulates a wireless enterprise with VLANs/SSIDs. The attack chain begins with UDP/161 SNMP leaking a default SSH password, leading to a “consultant” shell in a container with virtual Wi-Fi radios. The attacker captures/cracks a WPA2-PSK 4-way handshake to join the Tablets VLAN (192.168.3.0/24), decrypts 802.11 traffic in Wireshark to steal router web session cookies, then abuses a client-s...

🔧 Technical Details

SNMP info-leak trick: If SNMP is exposed (UDP/161) and uses a weak/known community (often public), enumerating communities with onesixtyone and dumping with snmpwalk -v 2c -c <community> can reveal sensitive data when admins mistakenly place secrets in informational OIDs (e.g., SNMPv2-MIB::sysDescr.0), enabling credential recovery and lateral movement (SSH, etc.).

Protocol-aware UDP discovery: Because UDP has no handshake, generic scanners can miss services. Use protocol-aware probes (e.g., udpx -t <target>) to quickly elicit responses from common UDP services (SNMP, etc.), then validate with targeted enumeration (nmap scripts, snmpwalk).

WPA2-PSK compromise workflow: With an active client, force reauth via deauthentication (aireplay-ng --deauth) while capturing on the target channel/BSSID (airodump-ng --channel X --bssid <AP> -w capture). Crack th...

🤖 Agent Actions

I’m analyzing the AirTouch writeup against existing HackTricks content, then I’ll map the techniques to the most specific existing pages before making any edits.
I’ve identified likely existing targets in SNMP, Wi‑Fi, cookies, upload, and tunneling sections. Next I’m verifying the original post and reading the relevant HackTricks pages in parallel to avoid duplicating content.
I’ve finished the first pass over the relevant sections. Now I’m checking whether the exact additions are already present, especially .phtml blacklist bypass, WPA2 decryption-to-cookie theft, and SNMP secrets in sysDescr.
The overlap check is clear now: most of the SNMP, cookie, upload, and proxying pieces already exist, but the Wi‑Fi page is missing the operational step after cracking the PSK: joining the SSID with wpa_supplicant and decrypting captured HTTP to recover sessions. I’m going to keep the change to a single file and add only that missing material.
I’m editing src/generic-methodologies-and-resources/pentesting-wifi/README.md now. The change is scoped to one new subsection covering post-crack association and Wi‑Fi traffic decryption, plus the blog reference at the end.
The first patch is in. I’m doing a verification pass now, including the internal ref path and the file-ending structure, because this repo is sensitive to broken links and misplaced ## References sections.
Updated README.md with the only non-duplicative material from the AirTouch post that wasn’t already covered well in HackTricks: the practical post-crack WPA2 workflow.

The new section adds:

• joining a cracked WPA2-PSK network with wpa_passphrase, wpa_supplicant, and dhclient
• decrypting previously captured 802.11 traffic in Wireshark using the recovered PSK
• the follow-on risk of recovering HTTP session cookies from plaintext application traffic
• an internal ref to the cookie abuse page
• the AirTouch blog URL in ## References

I did not add SNMP, cookie-role, .phtml, or SOCKS pivot content because those techniques are already documented in existing HackTricks pages, and the repo instructions required keeping this update in a single file. Verification was done with git diff and a path check on the internal ref.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 161/162 UDP - Pentesting SNMP; Pentesting Wifi -> WPA/WPA2 (handshake capture/deauth/crack + wpa_supplicant); Pentesting Web -> Cookies Hacking / Session Hijacking; Pentesting Web -> File Upload (extension blacklist bypass: .phtml)".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0