Hack The Box - Sense



All of my Hack The Box adventures are happening in a Kali Linux lab in NAT mode on VMWare Workstation Player. Kali Linux is free and robust, filled with many common hacking tools like nmap, Dirbuster, Gobuster, John the Ripper, Hydra, Nikto, Netcat, and so many moreā€¦

Sense

senselogo.png

Sense is classified as easy. Let’s see if that makes any “sense”.

Enumeration

nmap

My nmapLaunch script runs the -T4, -A, and -p- switches…

nmap.png

80 and 443 are the only ports open, and indeed dropping the IP into a browser redirects to port 443 and a login page for PFSense, an open-source firewall/router software solution.

page.png

Well, that makes “sense”.

Dirbuster

dirb1.png

Directory brute-forcing with Dirbuster returned two interesting findings using the medium wordlist.

dirb2.png

changelog.png

systemuser.png

Foothold

Okay, so it’s not fully patched, and now I have a username and a hint for the password. A little Google-fu says that the default PFSense password is pfsense. Logging in, I get a standard dashboard page with no significant interaction, although it does divulge that it’s version 2.1.3.

loggedin.png

Exploit

This calls for a little more Google-Fu. I search for PFSense exploit, and get an Exploit-DB hit for PFSense versions 2.1.4 and older. Reviewing the code, it’s a command injection script that alters the status_rrd_graph_img.php file. There is indeed an RRD Graph page on the status menu for the dashboard. The script is also authenticated, so good thing I have the creds.

script.png

Shell

I set up a netcat listener, and fire off the script…

script2.png

…and got a root shell!

shell.png

Flags

It’s easy to capture both flags without much further ado.

flags.png

This is where I’ll end this walkthrough. Of course, having root I could do so much more.

Review

This box offered practice for the basics.

  • Enumeration
  • Google-Fu
  • Script analysis

Happy hacking!

Sunday, September 26, 2021 by dobrohaxxor
Add a comment (6269 views)