Himanshu Das

Aug 30, 2021

3 min read

SENSE — HackTheBox WriteUp

This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.
SENSE is a FREEBSD machine, and is of EASY difficulty.

Do a rustscan to check for open ports.

Port 80 and 443 are open. I ran ffuf for directory busting:

Go to https://10.10.10.60/index.php. I found this:

I tried some basic SQL Injection attacks, but none worked. Now, in the source code of the page, we can see that it is pfsense (also, pf is written on the two circles, but they are not visible properly). I searched for exploits of pfsense and tried a lot of them, but none seemed to work. Also, the default creds: admin and pfsense didn’t work either. I ran ffuf again but this time with a bigger wordlist and some extensions:

A lot of directories there. (Note: All directories with Words: 907 are a redirect to the login page, so no use checking them out as of now). I started enumerating these. Meanwhile, in the background, I had ffuf running again with an even bigger wordlist:

The contents of /changelog.txt:

Ok, so it seems there can be some issue with the firewall. I checked the ffuf scan:

Visiting the /system-users.txt:

So, the username is rohit, and the password is default (pfsense). Let’s see if we can login as rohit and pfsense in the login page:

And that’s it! We are logged in. Now let’s try another one of the exploits we found earlier. I’m gonna use this one:

Offensive Security's Exploit Database Archive

usr/bin/env python3 # Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. # Date: 2018-01-12 #…

www.exploit-db.com

I ran the following command:

while a nc listener was set-up:

And I got the shell! That too as root!
Get user.txt from /home/rohit/user.txt and root.txt from /root/root.txt
(Note: from the file /etc/version, we can see that the pfsense version was 2.1.3)

We have successfully pwned the box!

Hackthebox Writeup
Pfsense
Oscp
Pentesting
Infosec

--

--

More from Himanshu Das

Recommended from Medium

Yingyingxu

CS 373 Spring 2023: Yingying Xu

Jon Crabb

in

Bootcamp

Designing a zero-knowledge airdrop for Element Finance

Federico Carrone

in

This is not a Monad tutorial

Rebuilding the Racket Compiler with Chez Scheme

Mehmet Ozkaya

in

AWS Lambda & Serverless — Developer Guide with Hands-on Labs

AWS Lambda Function URLs: Built-in HTTPS Endpoints

Yash Semlani

Creating A Discord Bot with Python (Part 2)

Jaime

Setting up Git for Unity in OSX

George Giamouridis

Arithmetic Overflows and Underflows in Ethereum Virtual Machine

Chirag Chatterjee 7083

Kodable with CKY

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Himanshu Das

Himanshu Das

47 Followers

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech