Difficulty: Medium
Machine Creator: lkys37en
Tools Used:
NMAP
Gobuster
Searchsploit
Burp Suite
Python
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.60
From the nmap scan we can see two ports open 80 and 443.
HTTP(S)
When we try to access HTTP site, we get redirected to https. This website is the login for the PF Sense firewall.
Gobuster
Running a gobuster scan, we can see a file named system-users.txt.
When we look at the system-users.txt file we see a username of rohit. The password says company defaults and the default password is pfsense.
Using the login that was found, we can log into the web interface.
Searchsploit
https://www.proteansec.com/linux/pfsense-vulnerabilities-part-2-command-injection/
Now that we have access to pfsense we can search for exploits. After some research, I found that 39709 remote code execution to be successful.
Burp
To find out the GET request, we can route our browser through burp and then view the image. Status – RRD Graph – Then right click on the graph image and view image.
Now that we have the GET request we can send this over to repeater and clean it up.
After editing the GET request we need to open a netcat listener, and then we can click on go we get in return the command that we ran hostname. This verifies that we have remote command execution on the host.
Reverse Shell
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
For our reverse shell, we need to go to pentestmonkey and get the python reverse shell and write it to a file on our local machine.
Wrote the python reverse shell to a file I just called it rshell.
Root Shell
Now that we have the python reverse shell script we can create a new netcat listener on port 1234, then edit our initial netcat listener adding the “< rshell ” and finally modify our GET request so it first executes netcat and then runs python which will run the rshell script. I did have an issue the first netcat on port 1337 something got hung up and didn’t complete until I canceled it (ctrl+z).
User.txt and Root.txt
With our root shell, we can read both the user.txt and root.txt.