Linux Boxes

Sense

  1. nmap
  2. http
    1. gobuster
      1. /themes
      2. /changelog.txt
      3. /system-users.txt
    2. ssl cert
  3. Rohit pfsense login
    1. version
      1. searchsploit
        1. cmd injection exploit
        2. exploit run
  4. user/root
  5. lessons learned

Sense

images/327-1.png
images/327-2.png

nmap

images/328-1.png
note http and https are the only services running

http

main page brings us straight to a login page, since sense is a known COTS (commercial off-the-shelf) service, it most likely has fail-2-ban, which will lock out any online brute force attacks to authenticate, lets come back here once we have some creds we can pass

images/1958-1.png
images/1958-2.png

gobuster

Running gobuster with the following command
gobuster dir -u 10.10.10.60 -w /usr/share/wordlist/dirbuster/directory-2.3-medium.txt

yields to non-redirect directories /changelog.txt and /system-users.txt that stand out

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.60
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/02/29 18:25:51 Starting gobuster
===============================================================
https://10.10.10.60/themes (Status: 301)
https://10.10.10.60/css (Status: 301)
https://10.10.10.60/includes (Status: 301)
https://10.10.10.60/javascript (Status: 301)
https://10.10.10.60/changelog.txt (Status: 200)
https://10.10.10.60/classes (Status: 301)
https://10.10.10.60/widgets (Status: 301)
https://10.10.10.60/tree (Status: 301)
https://10.10.10.60/shortcuts (Status: 301)
https://10.10.10.60/installer (Status: 301)
https://10.10.10.60/wizards (Status: 301)
https://10.10.10.60/csrf (Status: 301)
https://10.10.10.60/system-users.txt (Status: 200)
https://10.10.10.60/filebrowser (Status: 301)
https://10.10.10.60/%7Echeckout%7E (Status: 403)
===============================================================
2020/02/29 18:39:20 Finished
===============================================================

/themes

nothing here
images/716-1.png

/changelog.txt

shows us theres a vulnerability in this pfsense that is potentially exploitable:


images/718-1.png

/system-users.txt


images/719-1.png

default pfsense password? lets google
images/719-2.png

ssl cert

images/715-1.png

Cert details unfortunately do not disclose any users or emails
images/715-2.png

Rohit pfsense login

Lets plug in user rohit with the default password of pfsense:

images/720-1.png

And we're in
images/720-2.png

version

at the bottom of the dashboard there is the version of pfsense that the server is using

images/721-1.png

searchsploit

lets run a searchsploit on pfsense vesrion 2.1.3

images/722-1.png

this command injection exploit looks promising, lets take a look at what it does

cmd injection exploit

lets look at the code
images/723-1.png

images/723-2.png

images/723-3.png

we have --rhost as sense's ip 10.10.10.60
we have --lhost as our attacking box 10.10.14.62 change this variable to your tun0 ip
we our --lport we want to listen on 1234
we have a --username for pfsense rohit
and their --password pfsense

exploit run

first lets move the file into our working directory and run it

images/724-1.png

I renamed it to exploit.py
images/724-2.png

now lets plug and chug the variables and run it!

images/724-3.png

and we're root!
images/724-4.png

user/root

images/725-1.png
8721327cc232073b40d27d9c17e7348b#

images/725-2.png
d08c32a5d4f8c8b10e76eb51a69f1a86

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1957-1.png