Throwback — Part 1 — pfSense

Throwback is a network lab on TryHackMe. This is the first part of the article series, which I will be publishing on Throwback. In this article we will look how the pfSense firewall could be penetrated.


The engagement started with scanning the subnet to identify host of the Throwback lab. With the following Nmap it was possible to identify 4 public hosts:

nmap -sV -sC -p- -v --min-rate 5000 -oN nmap/public_network.nmap

It was possible to identify a pfsense firewall, because it was running DNS and a web server. The web server serves the HTTP Login page for pfsense:

Also there was a Windows host with the hostname THROWBACK-PROD:

And there is also a Linux Mail Server, because it is serving typical mail server ports, such as IMAP:

Finally there is another Linux server, that serves a Node.JS server on port 1337:

Enumerating pfSense Firewall

The host with the IP address, is a pfSense firewall. By navigating to, we can see the login page:

It was possible to login with the default pfSense credentials: admin:pfsense

Shell on pfSense

As pfSense has also a command prompt, it was possible to execute commands and get the root flag:

Also the /var/log folder contained a log called login.log that contains a username and hash:

The hash could also be cracked with Crackstation:

The /var/log folder contained also another flag:


The credentials of the pfSense firewall should be changed. Also if not needed, the Admin Login and SSH Login should not be accessable from outside the network.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store