# Sense

## Sense - 10.10.10.60

Target Enumeration:

OS: Linux

IP: 10.10.10.60

User: 8721327cc232073b40d27d9c17e7348b

Root: d08c32a5d4f8c8b10e76eb51a69f1a86

### Ports / Services / Software Versions Running

80/tcp  open http     lighttpd 1.4.35

443/tcp open  ssl/http lighttpd 1.4.35

### Vulnerability Exploited:

pfSense, a free BSD based open source firewall distribution, version  <= 2.2.6 contains a remote command execution vulnerability post authentication in the \_rrd\_graph\_img.php page. The vulnerability  occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.2.6,  2.2.5, and 2.1.3.

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/ncwZAsCH5J8WTKx9pEHHcxvy-40cP-o8_Ioy_edLd3d7aE0Gj3p23oPCySV3zv2J21UiNw1x_haWakgrMYYC2l5l88FaBTNUI-AKRWfh4v5Mb9QSMDbkMGcGkmOTB9j04MGppIky)

Gobuster:

![](https://lh3.googleusercontent.com/jOlamFHX7xFkx_XK91ZSXSTjT9KJfKLG2F63q-RcC5eM-M09VdBIoFnAHvPgBQgZUxnYPdldvfDhW6ZUfW3tcobmHY3MDK5BHg58Io_1E_y40361neKu2Yoe0lNnbvEJ8ObLmDy_)

Website is pfsense

![](https://lh6.googleusercontent.com/fC9tyfyP4Vj5XYa3jza7bd0kIaBWDkEb1ppDIRzN1GBwMZvRXZnWEfe2J05moRHAkIGjjwOCjRBREiGZxUEYRmgX1-6SLut5VOL31HlATaRw6GjR6afK0dqof-N08hSUSzdFH2QB)

Changelog.txt gives us some information to consider when exploiting

![](https://lh5.googleusercontent.com/rYe2MEvVD90Ol4VObMX2NdYp2hSlKOEXTYhnU_sGOhElLfM9EujiMAb_m46U0BqHk96O-aLeomygXCutxDpsPNsnKPH9O-tsmrAfA1EPCDKFuNQri8tcXR6VlyuC43FH8dbb889N)

Checking searchsploit gives us the following to consider:

![](https://lh4.googleusercontent.com/7-1e_scatEKVclOZvBpmOhQwyqL6aFaMvFOChpdpfDB2AXXwcmbCUHPSWvC6DzGSsvcilFDh8f3tasrsyE-MC_5G7DWRcUaZBCgtk-VwJbZBvAA_KMkffTEO-jtXQZsc7EwAiW8a)

Most do not work authenticated so we need credentials:

Changing our wordlist we discover a new set of credentials:

![](https://lh5.googleusercontent.com/TNV1mPOcz5P696D-tEsh90-KYkSqfRUEOSWgksq1r4PriiEsjERLP8TsKsm7oci6W8hSolBOvlspCwzKcV_CDpW5iy5AVaiJx_FNwNirC7QvJnP-XpbplGnXu08hW-dPgEZfcxf-)

Default password is pfsense

![](https://lh3.googleusercontent.com/JwWJr9IzamXNqnTQvFGFgaeJ_6TPh1J-5C_O4Bhqt7AdylMLqEpMd17XSVhM5vC7qd_GgZG6qCNM8YXU27RDTpyqH4ryzXQlatIRIludqZrS7Vf2YNthSDFd_gm72rz1tUzE8JZj)

Load metasploit with and set the following options and execute to get root:

![](https://lh4.googleusercontent.com/RF4Qn1t9cBCfEOvgT2sBO2Tg66Na4Twqg61bYIDQyukRvLjYKViBNf90gvVI-weqmsmtwnFL1PwmMyHKAw8need9QyplTATizoNEM3VTNc235AYzvo88zbTSZ1afUk1c9sfSPp23)

Get root & collect the user flag.

![](https://lh3.googleusercontent.com/eECHhyWGaf1F_sixQaAMlUq5IGKGt4QryspIMYgg0AAxplM11yJtbxTtZe3K3aOkXiX2VlWbnvVO7Bb3BLXAWlbyVbJmBxW9mMwfQAuDUEUMVdgkH3R20PIa-gIXiaMZr35gwvfU)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/sense.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.