CVE Enumeration Injection Red Team

HackTheBox – Sense CTF walkthrough

By Marceli 22 February 2022 #ctf, #hackthebox, #pfsense, #sense

Looks like some old version of pfsense. Default credentials (admin:pfsense) doesn’t work.

Only http/https ports are opened

Nothing interesting so far

Certificate date

Username is exposed

rohit:pfsense works:

Version: 2.1.3

Now I am authenticated, so I can make use of this CVE
CVE-2016-10709
https://www.exploit-db.com/exploits/39709

exploit-db

https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/

https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/

Example of original request

Modifying request to get RCE

I received a netcat connection

It is executed as a root

It doesn’t work. I don’t get netcat connection

Using dot instead of slash worked, but it is not my purpose

There is a bad char, so I can’t use slash.

Environmental variables may contain slash, so they can be used as a variable to inject “/” in command

Now I got output of find / command

I know the location, so I can use this knowledge to get context of the flag

I got the root flag

Box is rooted, although I want to try get reverse shell:

I got the reverse shell 🙂

Post Views: 547

By Marceli

Leave a Reply Cancel reply

Injection Privilege Escalation Red Team

HackTheBox – CozyHosting

Resilient Organization

Next-Gen Firewall (NGFW) – selection & initial deployment

Active Directory Red Team

HackTheBox – Active

Active Directory Red Team

TryHackMe – Enumerating Active Directory