HTB Sense Write-up
みなさん、こんにちは!
This a notes like write-up I am posting about the HTB boxes I managed to compromise by myself. Preparing for “a certain” course, these kind of boxes are really helpful in getting experience. Lets jump in!
Abstract
This box is all about deep website enumeration and finding the correct CVE. We start off by having very little information about any of the services running in the box, gradually enumerating almost everything and piecing together vital piece of information we finally get a foothold. Funny thing is, the foothold itself is root so no need for lateral-movement and privilege escalation (yeet!)
Enumeration
As always, we start with an nmap scan:
nmap -sV -sC -T4 10.10.10.60
Which returned the following for top responding ports, usually ports within 1 to 1000.
It showed only two ports open — actually just one since the port 80 is supported by ssl on 443 so visiting port 80 will actually redirect to port 443. Port 80 is running PF Sense on lighttpd version 1.4.35.
Lets run a full scan to see if we get other ports to respond. I do not put the -sC flag since it will make the scan incredibly slow. I just want nmap to knock all ports, I’ll enum each of them individually.
nmap -vvv -p- 10.10.10.60
Seems like no other ports are open other than these two (actually one).
Visiting the website, we are visited with a login page:
Pretty basic, nothing fancy. First thing obviously is to try default credentials, so I googled pf sense default creds which returned this:
Which obviously did not work. After that I tried SQLi but that did not work at all. Next I used wfuzz to brute-force all directories, normally I’d use gobuster but for some strange reason it refused to work.
Here is a snap from when wfuzz was finding all the directories but every one of them retrned 404 not found. It was obvious that we need to get ourselves authenticated before we can visit any of these:
I tried to find some kind of vulnerability in the website itself using the nmap script vuln which basically automates and tries all possible vulnerability scripts against the site, but that didn’t find anything.
The next thing to try is to test for directory-traversal vulnerability. Apparently there is a directory traversal vulnerability in the pf sense firewall site but unfortunately it did not match the version (we didn’t know the version yet). i tried almost all poking I know of but nothing happened. Now I started looking for any important files that might be left by the webdev in the web home directory. The most important thing now is to look for creds.
I ran wfuzz again, this time adding a .txt extension to it
Finally some direction!
We find two very interesting files, visiting them gives:
and…
Firstly, the security changelog points that one out of three vulnerabilities is still not patched. Secondly we get a user named “Rohit” who has “Company default” password which is pfsense. I tried with Rohit::pfsense but it didn’t work, I tried rohit::pfsense and this time it did. I logged in as “Rohit”.
Upon logging in, there was a very vital piece of information at the very top!
The system was running a 2.1.3-RELEASE (amd64) PF Sense firewall.
I immediately searched google and found a multiple vulnerabilities on the said version. The one that looked most promising was the Remote Code Execution.
I found a metasploit module which could be used to exploit it and I tried it first that way — it’s too easy so I am not writing about that… you basically put some commands and boom it gives you root. You can find that here, no fun at all. Lets try to understand the exploit code and try to exploit it manually!
Exploitation
Lets try to understand what causes a RCE in the application. I found an amazing explanation here, I’ll explain it here too.
The vulnerability arises due to lack of blacklisting improper and dangerous characters in the status_rrd_graph_img.php
/* this is used for temp name */
if ($_GET['graph']) {
$curgraph = str_replace(array("<", ">", ";", "&", "'", '"'), "", htmlspecialchars_decode($_GET['graph'], ENT_QUOTES | ENT_HTML401));
} else {
$curgraph = "custom";
}
In the str_replace array, blacklists certain characters but misses the “|” symbol (the pipe symbol) which allows RCE.
This python script sends a reverse shell payload encoded to exploit that vulnerability after authenticating the user. This exploit only works for non root users only.
Let’s examine it:
It navigates to the vulnerable php script then sends a *NIX command (in this case a reverse shell) using printf and pipes (“|”) the output to sh (the command shell) which then gets executed. Careful, this payload is carefully encoded in firstly hex then octal values. Such are the pains while exploiting web vulnerabilities.
I ran the script, opening netcat on other window, waiting for connections “STARBURST STREAM!!”:
We got a connection back.
Escalation
It is obvious from the ‘#’ symbol that we already have root access:
Conclusion
This box was rather smooth sailing but the amount of brute-forcing the website to find files was huge. This teaches that you should leave no stone unturned while doing an enumeration. Overall a very fun box which helped me construct my thinking power while tackling a box a lot. Was kinda funny that there was no Priv-Esc part. That’s why this box has more root owns than user owns on HTB lol!
