Sense HTB Writeup

Hi everyone, I am back with another ‘very easy’ level of sense HTB machine writeup.

As always, started a machine with scanning tcp open ports and services. The port 80 redirected me to port 443 which is nothing but a login page of pfsense.

After that, decided to enumerate directories but nothing interesting found.

Tried ‘searchsploit’ to view if the software is associated with any vulnerabilities. Nothing really pops out. Most of the exploits require authentication. So decided to switch back to gobuster.

After that changed the ‘gobuster’ command to include extensions. x: file extension(s) to search for txt & conf to look for any configuration files or text files left by system administrators.

Two files that immediately catch my eye are changelog.txt & system-users.txt.

The username is rohit and the password is the default password pfsense combination worked.

Downloaded the exploit which most closely related to 2.1.3 pfsense.

Let’s look at the exploit to see what it’s doing. It seems that the status_rrd_graph_img.php script is vulnerable to a command injection. To exploit that, the script is passing a simple python reverse shell (with the configuration parameters we pass as arguments) as a command. It does octal encode the reverse shell command which leads me to believe that there is either some form of filtering being done at the backend or the application crashes on certain characters. To sum up, it’s a very simple script that sends a reverse shell back to our attack machine. so setup the listener to receive the shell and run the exploit.

Thanks for reading the writeup, till then happy hacking :)