🕵 HTB-Writeup : SENSE

Recon
nmap
|
|
Try default pfsense credentials on the login page (https://10.10.10.60/index.php):
- Admin:pfsense
- root:pfsense
Not working.
dirbuster

Result of the dirbuster scan
We can found a changelog file on https://10[.]10[.]10[.]60/changelog.txt leaking informations on 3 vulnerabilities on the system. Only two have been patched.
|
|
Visiting https://10[.]10[.]10[.]60/system-users.txt we found a support ticket referencing a user creation.
|
|
We get a first user Rohit
, the password is the “company defaults. Let’s try to connect with the pfsense default password rohit:pfsense

We are connected to the dashboard !
Vulnerabilities
Connected to the dashboard we can see that the version 2.1.3 of pfsense is installed. Running a searchsploit
we found a python exploit.
|
|
The script is exploiting a vulnerability on status_rrd_graph_img.php
page (https://10[.]10[.]10[.]60/status_rrd_graph_img.php). A non-privilegied authenticated attacker can inject arbitrary operating system commands and execute them as root.
We pass all the necessary arguments to the script and execute it.
|
|
We get a root reverse shell ! We can get both flags :)
Tags
FreeBSD, Easy, External, LightHTTPD, PHP, Penetration Tester Level 1, Remote Code Execution, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Pfsense