Sense

1.nmap scan

the home page is a login page

dirsearch

the changelog.txt shows some message that we may can use all php pages need login

gobuster

the gobuster knowledge

gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt

• -k - 跳过SSL证书的验证
• -x - 要检查的扩展名列表（如果有） we can find a system-users.txt

the password we can guess is the default page - pfsense
username: Rohit
password: company defaults—-pfsense
and we success

search sploit

we can find a 43560.py matches the pfsense 2.1.3
let’s have a try and we get a root access