Vulnerable Exploit: pfSense Version out of dated CVE-2014-4688
System Vulnerable: 10.10.10.60
Vulnerability Explanation: The machine is vulnerable to command injection via to the file status_rrd_graph_img.php. There is a public exploit code which could allow us to exploit the machine and gain access to the machine.
Privilege Escalation Vulnerability: N/A
Vulnerability Fix: Update the application to 2.1.4 or latest
Severity: Critical
Step to Compromise the Host:
Reconnaissance
└─$ nmap -sC -sV -p- -T4 10.10.10.60
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 08:50 EDT
Nmap scan report for 10.10.10.60
Host is up (0.045s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after: 2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time
Enumeration
Port 80 Lighttpd/1.4.35
By going through the port 80, it will redirect us to port 443.
Port 443 HTTPS
On port 443, we have a login webpage of pfSense. By google we found, pfSense is a firewall/router computer software distribution based on FreeBSD. The open source pfSense Community Edition and pfSense Plus is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.
There are few things we need to check. Default credentials of the application, guess weak credentials, hidden directory or files, and SQL to bypass auth, bruteforce,.
I have noticed some files have the same sizes. Let check the difference one first.
By checking on /changelog.txt, that look interesting to us.
On /system-users.txt, we see information about the user. Username: Rohib and password: company defaults. I have tried Rohib/pfsense not work but rohib/pfsense it works.
On the System Information, I have seen version of the application is 2.1.3-Release (amd64).
Let searching for public exploit of this version seem like this machine is old.
There is one interesting is Command Injection on status_rrd_graph.php. Let get us to the application and go toStatus > RRD Graphs, we see it is the same files name.
Exploitation
Let grab the exploit code and check the code inside.
Seem like it takes some argument from the input and creates python socket connect to remote host and trying to execute reverse shell.
Let start our netcat listener on port 4444 and execute the code.
Default Credentials admin/admin, admin/password, don't work. SQL Injection also not work. Let start our gobuster to check if there is any hidden directory or files.
