# Nmap 7.80 scan initiated Fri Sep 27 18:41:07 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,443 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 243.80 ms 10.10.14.1
2 243.69 ms 10.10.10.60
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 27 18:42:59 2019 -- 1 IP address (1 host up) scanned in 111.85 seconds
Checking out the page, it turns out it the login interface of pfsense and the default credentials of admin:pfsesne did not seem to work. So I ran gobuster on the URL and found a txt file called system-users.txt which contained the username rohit and password was supposed to be company default, so I chose to try pfsense and this combination got me into the dashboard.
As evident from the version information this is pfsense 2.1.3, so I ran this service and version info against searchsploit and found one command injection vulnerability.
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | exploits/php/webapps/43560.py
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
User and Root own
So I ran the exploit script with the parameters it required and was able to get a shell as root on the system.