Okay, going to be up front with you guys – this box pissed me off. Enumeration of files on directories is key here, and apparently it’s dependent also on which tool you use. This had me running in circles all day today, but I got through it, and I want to share with you my success.
First, let’s get that nmap off.
Only thing here is 80/443, and when we go to anything on port 80, we are redirected to 443, with a lovely pfsense login.
I tried default credentials, which didn’t work, so I looked at gobuster for help.
gobuster found a changelog.txt, but did not find the file in question – probably because of the wordlist used. In this particular VM, you had to use the dirbuster wordlist, directory-list-lowercase-2.3-medium.txt, otherwise you weren’t finding the crucial other file you need.
I eventually found it, but only after I cheated and used dirsearch (which didn’t find it) and dirbuster (which did). This is the part that irritated me the most. After this, the box was trivial.
Once you know the username of ‘rohit’, you can login to the pfsense controller with rohit:pfsense (the default password for pfsense). This gives you the version of 2.1.3.
Searching Exploit DB for pfsense 2.1.3 shows us this link: https://www.exploit-db.com/exploits/43560
Downloading the python file, starting a netcat listener and running the python file works well.
And, as expected, the user.txt is in rohit’s user home folder, and the root.txt is in the root directory.
So, as I said, this box drove me crazy because of directory enumeration. To this day I still don’t know why my dirsearch didn’t work, and I think I need to modify my autorecon to run with the correct directory list so it finds more things. Either that, or this one is just an odd HackTheBox-ism.
Thanks for checking it out!