SENSE — HackTheBox WriteUp

This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.
SENSE is a FREEBSD machine, and is of EASY difficulty.

Do a rustscan to check for open ports.

Port 80 and 443 are open. I ran ffuf for directory busting:

Go to https://10.10.10.60/index.php. I found this:

I tried some basic SQL Injection attacks, but none worked. Now, in the source code of the page, we can see that it is pfsense (also, pf is written on the two circles, but they are not visible properly). I searched for exploits of pfsense and tried a lot of them, but none seemed to work. Also, the default creds: admin and pfsense didn’t work either. I ran ffuf again but this time with a bigger wordlist and some extensions:

A lot of directories there. (Note: All directories with Words: 907 are a redirect to the login page, so no use checking them out as of now). I started enumerating these. Meanwhile, in the background, I had ffuf running again with an even bigger wordlist:

The contents of /changelog.txt:

Ok, so it seems there can be some issue with the firewall. I checked the ffuf scan:

Visiting the /system-users.txt:

So, the username is rohit, and the password is default (pfsense). Let’s see if we can login as rohit and pfsense in the login page:

And that’s it! We are logged in. Now let’s try another one of the exploits we found earlier. I’m gonna use this one:

I ran the following command:

while a nc listener was set-up:

And I got the shell! That too as root!
Get user.txt from /home/rohit/user.txt and root.txt from /root/root.txt
(Note: from the file /etc/version, we can see that the pfsense version was 2.1.3)

We have successfully pwned the box!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store