This box was an interesting one that involved the open-source routing OS PfSense and a bit of enumeration. Nothing out of the ordinary, but good practice nonetheless. Without further ado, here it goes:
As always, I began with a staged Nmap scan:
The scan revealed only that this was a web server. Visiting it via HTTPS revealed the login page to a PfSense router:
After trying some basic default credentials, I ran gobuster to see if there were any hidden directories worth looking into:
Some of the directories, such as /%7Echeckout%7E, seemed interesting, but I found nothing directly exploitable. The makers of the box even try to lead you down some rabbit holes that are ultimately unexploitable. With only this information, I was stuck.
I grabbed the SSL cert to see if there was any information there:
Once again, there was no information. Nothing.
Running out of ideas, I ran gobuster again to see if there were any files that I might have missed:
Finally I got something interesting. Two files, in fact.
These files basically give us a username and a hint that there may be a firewall exploit available. Google-Fu revealed that the default password for a PfSense router is ‘pfsense’, so I logged in to the admin panel using the credentials rohit:pfsense:
From here, I was able to enumerate the version and find an exploit that would get me a reverse shell:
Knowing the arguments needed, I downloaded and ran the script:
Fortunately, there was no privilege escalation necessary. Running the exploit gave me unadulterated access to the machine.
The lesson of this box is to poke around, and when you think you have nothing to work with, poke around some more. You’ll find something eventually.