> For the complete documentation index, see [llms.txt](https://www.jdksec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.jdksec.com/hack-the-box/sense.md).

# Sense

## Sense - 10.10.10.60

Target Enumeration:

OS: Linux

IP: 10.10.10.60

User: 8721327cc232073b40d27d9c17e7348b

Root: d08c32a5d4f8c8b10e76eb51a69f1a86

### Ports / Services / Software Versions Running

80/tcp  open http     lighttpd 1.4.35

443/tcp open  ssl/http lighttpd 1.4.35

### Vulnerability Exploited:

pfSense, a free BSD based open source firewall distribution, version  <= 2.2.6 contains a remote command execution vulnerability post authentication in the \_rrd\_graph\_img.php page. The vulnerability  occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.2.6,  2.2.5, and 2.1.3.

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/ncwZAsCH5J8WTKx9pEHHcxvy-40cP-o8_Ioy_edLd3d7aE0Gj3p23oPCySV3zv2J21UiNw1x_haWakgrMYYC2l5l88FaBTNUI-AKRWfh4v5Mb9QSMDbkMGcGkmOTB9j04MGppIky)

Gobuster:

![](https://lh3.googleusercontent.com/jOlamFHX7xFkx_XK91ZSXSTjT9KJfKLG2F63q-RcC5eM-M09VdBIoFnAHvPgBQgZUxnYPdldvfDhW6ZUfW3tcobmHY3MDK5BHg58Io_1E_y40361neKu2Yoe0lNnbvEJ8ObLmDy_)

Website is pfsense

![](https://lh6.googleusercontent.com/fC9tyfyP4Vj5XYa3jza7bd0kIaBWDkEb1ppDIRzN1GBwMZvRXZnWEfe2J05moRHAkIGjjwOCjRBREiGZxUEYRmgX1-6SLut5VOL31HlATaRw6GjR6afK0dqof-N08hSUSzdFH2QB)

Changelog.txt gives us some information to consider when exploiting

![](https://lh5.googleusercontent.com/rYe2MEvVD90Ol4VObMX2NdYp2hSlKOEXTYhnU_sGOhElLfM9EujiMAb_m46U0BqHk96O-aLeomygXCutxDpsPNsnKPH9O-tsmrAfA1EPCDKFuNQri8tcXR6VlyuC43FH8dbb889N)

Checking searchsploit gives us the following to consider:

![](https://lh4.googleusercontent.com/7-1e_scatEKVclOZvBpmOhQwyqL6aFaMvFOChpdpfDB2AXXwcmbCUHPSWvC6DzGSsvcilFDh8f3tasrsyE-MC_5G7DWRcUaZBCgtk-VwJbZBvAA_KMkffTEO-jtXQZsc7EwAiW8a)

Most do not work authenticated so we need credentials:

Changing our wordlist we discover a new set of credentials:

![](https://lh5.googleusercontent.com/TNV1mPOcz5P696D-tEsh90-KYkSqfRUEOSWgksq1r4PriiEsjERLP8TsKsm7oci6W8hSolBOvlspCwzKcV_CDpW5iy5AVaiJx_FNwNirC7QvJnP-XpbplGnXu08hW-dPgEZfcxf-)

Default password is pfsense

![](https://lh3.googleusercontent.com/JwWJr9IzamXNqnTQvFGFgaeJ_6TPh1J-5C_O4Bhqt7AdylMLqEpMd17XSVhM5vC7qd_GgZG6qCNM8YXU27RDTpyqH4ryzXQlatIRIludqZrS7Vf2YNthSDFd_gm72rz1tUzE8JZj)

Load metasploit with and set the following options and execute to get root:

![](https://lh4.googleusercontent.com/RF4Qn1t9cBCfEOvgT2sBO2Tg66Na4Twqg61bYIDQyukRvLjYKViBNf90gvVI-weqmsmtwnFL1PwmMyHKAw8need9QyplTATizoNEM3VTNc235AYzvo88zbTSZ1afUk1c9sfSPp23)

Get root & collect the user flag.

![](https://lh3.googleusercontent.com/eECHhyWGaf1F_sixQaAMlUq5IGKGt4QryspIMYgg0AAxplM11yJtbxTtZe3K3aOkXiX2VlWbnvVO7Bb3BLXAWlbyVbJmBxW9mMwfQAuDUEUMVdgkH3R20PIa-gIXiaMZr35gwvfU)
