Hack the Box – Sense Walkthrough

ctf
hackthebox
writeups
walkthrough
#1

Today we’re going to solve another CTF machine “Sense”. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: FreeBSD
  • IP Address: 10.10.10.60
  • Difficulty: Medium

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sS -sU -T4 -A -v 10.10.10.60

80/tcp  open  http     lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open  ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Nmap revels lighttpd running on port 80 and 443. Let’s enumerate directories.

Enumeration

Browsing the main root directory revels PFSense login. PFSense default creds admin:pfsense didn’t work. pfSense is an open source firewall application so if we try to brute force we might get blocked let’s not consider this an option and move forward. Let’s enumerate and find hidden directories and files.

sense

Dirbuster

Started a dirbuster searching for php extensions. But everything was redirecting back to login page. So, i looked for txt files instead and came across with interesting files.

https://10.10.10.60/changelog.txt
https://10.10.10.60/system-users.txt

And we found the creds inside system-users.txt

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

Here’s a username/password for pfSense rohit:pfsense

Exploitation

There’s multiple way to exploit this machine let’s go through one of them.

https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec

exploit/unix/http/pfsense_clickjacking
exploit/unix/http/pfsense_graph_injection_exec
exploit/unix/http/pfsense_group_member_exec

id
uid=0(root) gid=0(wheel) groups=0(wheel)
wc -c /home/rohit/user.txt
      32 /home/rohit/user.txt
wc -c /root/root.txt
      33 /root/root.txt