Throwback — Part 1 — pfSense

Throwback is a network lab on TryHackMe. This is the first part of the article series, which I will be publishing on Throwback. In this article we will look how the pfSense firewall could be penetrated.

Recon

The engagement started with scanning the subnet 10.200.70.0/24 to identify host of the Throwback lab. With the following Nmap it was possible to identify 4 public hosts:

nmap -sV -sC -p- -v --min-rate 5000 -oN nmap/public_network.nmap 10.200.70.0/24

It was possible to identify a pfsense firewall, because it was running DNS and a web server. The web server serves the HTTP Login page for pfsense:

Also there was a Windows host with the hostname THROWBACK-PROD:

And there is also a Linux Mail Server, because it is serving typical mail server ports, such as IMAP:

Finally there is another Linux server, that serves a Node.JS server on port 1337:

Enumerating pfSense Firewall

The host with the IP address 10.200.70.138, is a pfSense firewall. By navigating to https://10.200.70.138, we can see the login page:

It was possible to login with the default pfSense credentials: admin:pfsense

Shell on pfSense

As pfSense has also a command prompt, it was possible to execute commands and get the root flag:

Also the /var/log folder contained a log called login.log that contains a username and hash:

The hash could also be cracked with Crackstation:

The /var/log folder contained also another flag:

Remediation

The credentials of the pfSense firewall should be changed. Also if not needed, the Admin Login and SSH Login should not be accessable from outside the network.