HTB: Sense Writeup w/o Metasploit
This was a very easy to box to work with. It could have been popped within an hour. It took me 2 days because of network connectivity to the box. My scans kept timing out the first night I was working on it. I came back to it the next morning and everything was working fine.
Nonetheless, the first thing I did here was start my nmap jutsu. Port 80 and 443 came back as open. Before checking out the web page, I tried to start my gobuster jutsu, but for some reason it would not work. I tried running it against port 80 and port 443. If we come to a dead end, I will run another directory scan with other tools. For now, I will move forward with port 80 and 443.
Let us see what is on port 80 and 443. It looks like the webserver is a bit buggy. It may be my connection (I doubt it), but it takes forever for the web page to load up. I actually got an error message instead of a webpage. I tried pinging the box and did not get a response for about a minute. Now I can see the web page.
Looks like we get a login screen for Pfsense when accessing 10.10.10.60 over https. Visiting https://10.10.10.60 gives us the screenshot above. Visiting https://sense.htb gives us the screenshot below. I tried the default creds for pfsense (admin:pfsense), but that failed.
FYI, I checked the certificate for any useful information and found nothing.
Not much info from the web pages here. I went back to my gobuster scans and I assumed gobuster was not working because I kept getting connection errors. Gobuster was not working for some reason (I explain later). I just moved along and started enumerating the service running on port 80 but I could not find a working exploit for it.
My connection was just acting up all day with this box. I could not do much without it timing out on me. This just made it almost impossible for me to work with the it so I left it for the night and came back to it the next morning. Now my gobuster scans are working perfectly and there are a few hits. One of them was extremely useful because it had credentials in it (system-users.txt), the other talked about unpatched vulnerabilities (changelog.txt).
the system-users.txt gave the credentials to Pfsense.
Using rohit as the username and pfsense as the password allowed us to authenticate successfully.
Exploitation
Once I was logged in, I could see pfsense version number.
Searchsploit returned one python script.
This script exploits the way pfsense manages data being passed to a database value. The database value does not appear to be properly sanitize so the python script sends a reverse shellcode as the database value.
The script is simple to use, the arguments needed are in the script. You will need the rhost, lhost, lport, username, and password for pfsense. Before you execute the script, make sure you have a listener on the lport you select.
In the screenshot above, you can see the script executed in the top pane. The bottom pane is the shell we got back, and fortunately it is running as root. So from here we can go and collect out flags.
AAR
This was one of the easiest boxes I have worked with on HTB. The only and biggest issue I had with this was the connection timeouts. It was pretty annoying. Nonetheless, the first key takeaway to mitigate this from occurring in the future is securing the login credentials.
Also, upgrading to a more secure version of pfsense to prevent the exploit we used from working. I hope you enjoyed reading this writeup. Here is a video walkthrough for this box.
