Hackthebox - Sense

From nmap, there are http and https service.

This is the https web page, which is a PfSense firewall. (http redirects to https automatically)

This is the result from gobuster.

Take a look at changelog.txt, it seems that there is still a vulnerability hasn’t been patched.

From system-users.txt, we got the idea that the credential is Rohit:pfsense.

We successfully login.

I tried to use module unix/http/pfsense_graph_injection_exec in msf, and got root permission.