Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Sense - 10.10.10.60
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Sense

PreviousTallyNextJeeves

Last updated 6 years ago

Sense - 10.10.10.60

Target Enumeration:

OS: Linux

IP: 10.10.10.60

User: 8721327cc232073b40d27d9c17e7348b

Root: d08c32a5d4f8c8b10e76eb51a69f1a86

Ports / Services / Software Versions Running

80/tcp open http lighttpd 1.4.35

443/tcp open ssl/http lighttpd 1.4.35

Vulnerability Exploited:

pfSense, a free BSD based open source firewall distribution, version <= 2.2.6 contains a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3.

Exploiting the host:

Nmap

Gobuster:

Website is pfsense

Changelog.txt gives us some information to consider when exploiting

Checking searchsploit gives us the following to consider:

Most do not work authenticated so we need credentials:

Changing our wordlist we discover a new set of credentials:

Default password is pfsense

Load metasploit with and set the following options and execute to get root:

Get root & collect the user flag.