CTF Walkthroughs, Hack The Box

Hack The Box – Sense Walkthrough

July 22, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy BSD box that involved identifying user credentials for a pfSense instance and exploiting a known command injection vulnerability affecting the product to gain root-level access on the machine.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has found two open ports: 80 (HTTP) and 443 (HTTPS)

Enumerating HTTP

When accessing the site on port 443, a pfSense login page is displayed;

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -k to ignore self-signed certificates
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The Gobuster scan has found a few useful entries, such as changelog.txt and system-users.txt.

When navigating to changelog.txt, it mentions some vulnerabilities being fixed:

When navigating to system-users.txt, it mentions a username, which could be useful later on:

Did a quick Google search to find out the pfSense default credentials:

Authenticating with the username found earlier and with the default pfSense password:

The authentication was successful. The web server seems to be running pfSense version 2.1.3

Using SearchSploit to identify known vulnerabilities in this version of pfSense:

There seems to be a proof of concept that exploits a command injection vulnerability affecting pfSense. Mirroring the exploit:

Executing the exploit to view the required arguments. It requires the remote host and port, the local host and port to be used for the reverse shell and the credentials to be used to authenticate into pfSense:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the exploit, providing all of the required arguments:

A callback was received on the Netcat listener, providing a root-level shell.

Conclusion

This was probably one of the easiest machines on Hack The Box, mainly because no privilege escalation was required, but still pretty fun and it is always ironic to see how sometimes software that is born as security products turn into an actual vulnerability.