twitter

Hack The Box: Sense

Difficulty: Medium

Machine Creator: lkys37en

Tools Used:

NMAP
Gobuster
Searchsploit
Burp Suite
Python

 

Task: To find User.txt and Root.txt

 

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.60


From the nmap scan we can see two ports open 80 and 443.

 

HTTP(S)


When we try to access HTTP site, we get redirected to https. This website is the login for the PF Sense firewall.

 

Gobuster


Running a gobuster scan, we can see a file named system-users.txt.

 


When we look at the system-users.txt file we see a username of rohit. The password says company defaults and the default password is pfsense.

 


Using the login that was found, we can log into the web interface.

Searchsploit

https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/


Now that we have access to pfsense we can search for exploits. After some research, I found that 39709 remote code execution to be successful.

Burp


To find out the GET request, we can route our browser through burp and then view the image. Status – RRD Graph – Then right click on the graph image and view image.

 


Now that we have the GET request we can send this over to repeater and clean it up.

 


After editing the GET request we need to open a netcat listener, and then we can click on go we get in return the command that we ran hostname. This verifies that we have remote command execution on the host.

Reverse Shell

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet


For our reverse shell, we need to go to pentestmonkey and get the python reverse shell and write it to a file on our local machine.

 


Wrote the python reverse shell to a file I just called it rshell.

Root Shell


Now that we have the python reverse shell script we can create a new netcat listener on port 1234, then edit our initial netcat listener adding the “< rshell ” and finally modify our GET request so it first executes netcat and then runs python which will run the rshell script. I did have an issue the first netcat on port 1337 something got hung up and didn’t complete until I canceled it (ctrl+z).

User.txt and Root.txt


With our root shell, we can read both the user.txt and root.txt.