80/tcp open http lighttpd 1.4.35
443/tcp open ssl/http lighttpd 1.4.35
pfSense, a free BSD based open source firewall distribution, version <= 2.2.6 contains a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3.
Website is pfsense
Changelog.txt gives us some information to consider when exploiting
Checking searchsploit gives us the following to consider:
Most do not work authenticated so we need credentials:
Changing our wordlist we discover a new set of credentials:
Default password is pfsense
Load metasploit with and set the following options and execute to get root:
Get root & collect the user flag.