Enumeration
Got the following result from the Nmap scan.
nmap -sV 10.10.10.60 --script http-enum
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-18 22:39 EDT
Nmap scan report for 10.10.10.60
Host is up (0.21s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| http-enum:
| /javascript/sorttable.js: Secunia NSI
| /changelog.txt: Interesting, a changelog.
|_ /tree/: Potentially interesting folder
I can see web servers are open and the nmap script’s saying changelog.txt is interesting.
If we visit the web page, we can see the login page.
I tried logging in with the default credentials for pfsense. admin:pfsense
However, I failed.
Let’s check the changelog.txt file next.
Ok, it’s saying one vulnerability out of 3 is not patched—no more information from here I guess.
Maybe we can discover more text files?
I enumerated directories to find other clues.
changelog [Status: 200, Size: 271, Words: 35, Lines: 10, Duration: 181ms]
system-users [Status: 200, Size: 106, Words: 9, Lines: 7, Duration: 183ms]
I found one more file! By the way, I used /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
for the enumeration.
Let’s see what’s inside the system-users file.
There’s a username and password!
We already know the default password. So let’s try.
This time it worked!
Also, we can check the version of the system.
user, root flags
I googled the version to find vulnerabilities and discovered we can exploit it using metaspolit.
After setting up the required parameters, I could get the shell.
Furthermore, I’m logged in as root.
Ther user flag is in the home directory of rohit and the root flag is in the root directory.