HTB Sense (Linux) Write-up — Simple python script for brute forcing

I followed a walk-through video by IppSec to crack the Sense box on HTB.

Source: https://www.youtube.com/watch?v=d2nVDoVr0jE

This write-up demonstrates how I got the root flag and how IppSec introduced one way to write a python script to brute force credentials with burpsuite.

  1. Using CVE to root the machine.

Go buster Time!

gobuster dir -u https://10.129.168.90 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt > gobusteroutput.txt

Two txt files were found

  • changelog.txt
  • system-users.txt

System-users.txt has some login info

pfSense < 2.1.4 — ‘status_rrd_graph_img.php’ Command Injection — PHP webapps Exploit (exploit-db.com)

Used the exploit with the valid options while setting up a listener on our end with nc.

and we are root! This was pretty simple except I learned a few options on gobuster. Now we will practice writing a brute force python script.

Brute forcing with a python script

  1. open burp — intercept the login traffic

What fields are needed? __csrf_magic=sid%3Ae02ae44bc2489bbc39bff40036d2cd98829d6bef%2C1643129962&usernamefld=aaaa&passwordfld=bbbb&login=Login$

2. Create a python script.

  • Now we modified the script to capture the Token we need

Weird warning appears in the output:

How do we get rid of it?

https://stackoverflow.com/questions/27981545/suppress-insecurerequestwarning-unverified-https-request-is-being-made-in-pytho Found this solution and added the following lines to our script/

The error disappeared!

  • Now we can make a post request and add cookies with a dictionary form.

We can see that the request was made properly by seeing the incorrect credential error.

Let’s see this request in burp: (NEW)

- change where the requests are going to 127.0.0.1(https to http), get rid of the insecure warning request module, and SSL bypass.

in burp, go to option > Bind on port 80 > Request handling > Redirect to 10.129.168.197(victim) and tick “Force use of SSL” & “Intercept Server Responses”

What happens if we successfully login?

Try using interractive python (ipython)
- open ipython (installation guide: https://ipython.org/install.html )
paste the code
- Once you execute it, you can try getting all kinds of information with r. formatting. i.e) r.cookies, r.content, etc.

Now, Create a password list that contains the actual password to see if the bruteforce works

--

--

HTTPS://Gorigorisensei.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store