HTB – Sense– without Metasploit

As usual we’ll make a nmap scan session for the target machine open ports.

discovered only 80 and 443 ports. Visiting the address on the browser give us the access page of the pfsense firewall.

let’s run a web bruteforce discovery with gobuster. In this case we used the php and txt extensions.

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x php,txt

the scan reported two interesting pages.
/changelog.txt (Status: 200)
/system-users.txt (Status: 200)

system-users.txt give us the right credentials to access the firewall admin panel.

user: rohit
pass: pfsense

after this we tried to discover the actual version of the firewall. It’s the 2.1.3

on there’s an exploit suitable for our target version:

so we gave the correct parameters for access the remote machine vulnerability. Be careful…the python version to use is python3 or you obtain an error lauching the command.

it’s root!