SENSE

Lets start with nmap as always.

nmap -sV -sC -O -oA nmap.txt 10.129.247.215

We see that port 443 contain login panel

We have default credentials and sql injection options, but admin:pfsense not worked.

Let’s see if there is a vulnerability related pfsense but most of them require authentication, so that keep doing enumeration.

Fuzzing:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.129.247.215 -k -x php,txt,conf -t 30

End of the gobuster result we have /system-users.txt path, lets go with browser.

As we see we got login credentials.

Authentication step is done, if we remember searchsploit results of pfsense, most of the vulns required authentication, now we should look again and choose one of them to try.

Command injection looking good, lets examine a little bit content of this code.

We need to rhost, lhost, username and password. We already got username and password via /system-users.txt path, remote host (rhost) is our target machine and ip of this 10.129.247.215, local host (lhost) is 10.10.14.168, we opened a netcat on 1112 port, when we execute backdoor, shell will be dropped to netcat.

Let’s try these on the command line.

We got root flag.