Hack the Box – Sense Walkthrough

Today we’re going to solve another CTF machine “Sense”. It is now retired box and can be accessible if you’re a VIP member.


  • Target OS: FreeBSD
  • IP Address:
  • Difficulty: Medium


  • Getting user
  • Getting root


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sS -sU -T4 -A -v

80/tcp  open  http     lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to
443/tcp open  ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_ssl-date: TLS randomness does not represent time

Nmap revels lighttpd running on port 80 and 443. Let’s enumerate directories.


Browsing the main root directory revels PFSense login. PFSense default creds admin:pfsense didn’t work. pfSense is an open source firewall application so if we try to brute force we might get blocked let’s not consider this an option and move forward. Let’s enumerate and find hidden directories and files.



Started a dirbuster searching for php extensions. But everything was redirecting back to login page. So, i looked for txt files instead and came across with interesting files.

And we found the creds inside system-users.txt

####Support ticket###

Please create the following user

username: Rohit
password: company defaults

Here’s a username/password for pfSense rohit:pfsense


There’s multiple way to exploit this machine let’s go through one of them.


uid=0(root) gid=0(wheel) groups=0(wheel)
wc -c /home/rohit/user.txt
      32 /home/rohit/user.txt
wc -c /root/root.txt
      33 /root/root.txt