HacktheBox - Sense Writeup

09/12/2019

Zero to OSCP Hero Writeup #17 - Sense

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.60

-sC: Run the default nmap script scan to find potential vulnerabilities
-sV: Detect the service version
-oA: Output the result of the scan in all formats as nmap/initial.tcp

From the scan we can see that there is only ports 80 and 443 open, with all traffic redirected from port 80 HTTP to HTTPS on port 443.

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.60

-sC: Run the default nmap script scan to find potential vulnerabilities
-sV: Detect the service version
-p-: Run the nmap scan against all ports
-oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no additional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.60

-sU: Run the scan against UDP ports
-p-: Run the nmap scan against all ports
-oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.

Enumerating Port 80/443

1. Browse to https://10.10.10.60

So when we browse to 10.10.10.60 on port 80, we are redirected to port 443 and as suspected by the name of the box, we are at a pfSense firewall login page

1.1 Trying Default Credentials

After a quick google, i found that the defaulyt pfSense credentials are admin:pfsense, but these didnt work along with other basic combinations.

2. Gobuster

Lets run a gobuster scan on the target to see if there any hidden directories/files

gobuster dir -k -u https://10.10.10.60 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt

dir: Search for directories
-k: Dismiss any X509 certificate warnings
-u: URL to scan
-w: Wordlist to use against the target
-x: File Extensions to search for

Okay, so Gobuster has found two interesting files; changelog.txt and system-users.txt:

So it seems then that the pfSense firewall is out of date and is vulnerable to a known exploit of some kind but to exploit the firewall, we need to determine the firewall version.

And we now have a valid logon! As we can see, the username is Rohit and the password is 'Company Defaults' which is pfSense.

3. Login to Firewall

After logging in with the creds rohit:pfsense we find ourselves at the firewall dashboard.

And as you can see, it gives us the key piece of information we require to find the exploit for the firewall:

4. Searchsploit

Lets see what searchsploit can find when we search for pfsense vulnerabilities:

searchsploit pfsense

A couple exploits stick out as possibilities, as they allow us to run commands which may allow us to get a foothold on the machine, lets take a look at the exploit that affects our version first, <2.1.4 Command Injection.