HTB_AD_Return: Pentration Testing Report
| Name | item |
|---|---|
| Platform | OSCP Play Ground |
| Date | 2025-09-14 20:07:34 |
| Auth | Blackwin |
| Tools used | nmap; gobuster; brupsuite; wpscan |
| Key words | id_rsa; polkit; LXD |
| Ip address | 10.10.11.108 |
| Flag | proof.txt: 9e89507dcfd2001796d15b5eae75a18clocal.txt: 53825454332a4b5d2c4b14a7315ec6d4 |
1. Initial Reconasission
Port scanning
- rustscan -a 10.10.11.108 --scripts none --ulimit 5000 | tee scans/rustscan
- sudo nmap -sCV -p53,80,88,139,389,445,464,3268,3269,5985,135,636,593,9389,47001,49664,49665,49666,49668,49671,49674,49675,49682,49679,49697 10.10.11.108 -oN scans/nmap
- sudo nmap -sCV -p- --open 10.10.11.108 -oN scans/nmap-all
2. Enumeration
FTP Enum
ftp,lftp
SMB Enum
enum4linux
Web Enum
directory brute
- ffuf -u http://10.10.11.108/FUZZ -w /usr/share/wordlists/dirb/big.txt
- gobuster dir -u http://10.10.11.108/ -w /usr/share/wordlists/dirb/big.txt
brute force login
- hydra -l loly -P rockyou.txt 10.10.11.108 http-post-form /wordpress/wp-login.php:F=Error -V -t 5 -w 1 -o results.txt
- wpscan --url http://10.10.11.108/wordpress -U loly -P rockyou.txt
3. Initial Shell
4. Post-Enumeration
get flag: find / -name local.txt 2>/dev/null
get basic info:
- OS version:
- sudo version:
- psexec version:
- users: cat /etc/passwd
- flag: find / -name local.txt 2>/dev/null
- SUDI binaries:
- find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
- find / -uid 0 -perm -6000 -type f 2>/dev/null