Sense is an easy box from HackTheBox. Using directory fuzzing to find a text with user credentials can be used to log in to the pfSense admin panel. From there the outdated version of pfsense leads...
Vulnerability Explanation: Sensitive information has been available publicly for everyone to enumerate and the use of default credentials lead the attacker to log in to the pfsense admin panel. Then, the outdated version of used pfsense leads to an OS command execution. pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via the hostname value to diag_dns.php in a Create Alias action, the smartmonemail value to diag_smart.php, or the database value to status_rrd_graph_img.php
Vulnerability Fix: Update and patch the system and install the most recent version of pfSense
Privilege Escalation Vulnerability: No need for Priv Esc
Vulnerability Fix: The developer should have conformed to the principle of least privilege and the concept of separation of privileges.
Severity: Critical
An initial nmap scan revealed the lighttpd 1.4.35 running on port 80 and 443.
# Nmap 7.92 scan initiated Sun Jan 9 15:03:59 2022 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.11s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-favicon: Unknown favicon MD5: 082559A7867CF27ACAB7E9867A8B320F
|_http-title: Login
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after: 2023-04-06T19:21:35
| MD5: 65f8 b00f 57d2 3468 2c52 0f44 8110 c622
|_SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
|_http-server-header: lighttpd/1.4.35
|_ssl-date: TLS randomness does not represent time
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 9 15:04:42 2022 -- 1 IP address (1 host up) scanned in 43.36 seconds
The pfSense website initial page
Fuzzing the website find any existing directories or files.
To gain an initial foothold on the box we exploited three vulnerabilities.
Information disclosure. The changelog.txt & system-users.txt files were publicly available to anyone that enumerates the directories on the webserver. Those files gave us information about the vulnerabilities in the web server and credential information for one of the accounts. Administrators should never publicly store sensitive information.
Use of default credentials. The user used the default password that is shipped with the application. Since default credentials are publicly available and can be easily obtained, the user should have instead used a sufficiently long password that is difficult to crack.
Command injection in the pfSense software allowed us to send a shell back to our attack server. This could have been avoided if the user had patched the system and installed the most recent version of pfSense.
As mentioned earlier, we didn’t have to escalate privileges for this box since pfSense runs with root privileges and therefore we got a shell with root privilege
