About this Lab

This lab emphasizes systematic network and web service enumeration to identify attack surfaces and misconfigurations. Identified web application components were analyzed to uncover exploitable conditions leading to initial access. Post‑exploitation activities focused on local enumeration and privilege escalation, where misconfigured sudo permissions were abused to obtain elevated privileges.

The lab reinforces a structured, real‑world penetration testing methodology, aligning with professional offensive security assessments.

Note on IP Address Change
During testing, the target machine was reset, which resulted in a change of IP address. All references below have been normalized to 192.168.145.218 for clarity.

Service Enumeration

A comprehensive service and version enumeration was performed using Nmap to identify open ports and running services on the target system.

The — min-rate option was used to accelerate the scan due to the controlled OffSec lab environment. In real‑world engagements, aggressive rate limits should be avoided to reduce detection risk, prevent service disruption, and comply with operational constraints.

An HTTP service was identified on 192.168.145.218:80, prompting targeted web enumeration to identify accessible resources and potential attack vectors.

Exploit Identification and PoC Analysis

Searchsploit was used to identify any publicly known vulnerabilities and available proof-of-concept exploits relevant to the discovered service.

I confirmed the target runs Monitorr 1.7.6m, which is vulnerable to unauthenticated RCE. After locating a public PoC, I reviewed the code to verify its preconditions and executed it in a disposable lab environment. The PoC successfully allowed arbitrary command execution on the web server as the web user, confirming the RCE.

Running the exploit uploads a PHP file to/assets/php/, which may be accessible and executable by the web server.

Executing the exploit resulted in command execution on the target, allowing me to spawn a shell as the web user. A connection was successfully established back to my listener, confirming the shell.

Initial Foothold

After obtaining a shell, I navigated through the filesystem and enumerated the /home directory, where I discovered a fox folder. Browsing this directory revealed several files containing potentially valuable information.

I attempted to access the devel directory, but access was denied due to insufficient permissions.The directory is owned by the user fox, and www-data does not have the required read permissions, indicating that further escalation or permission changes are needed to access its contents.

Credential Harvesting

Reading the reminder file revealed a clue about password hashing, suggesting that crypt.php could be used to analyze stored credentials. Although direct access to the devel directory was denied, the crypt.php file inside was readable. The script uses PHP’s crypt() function on a hardcoded string, indicating a weak hashing mechanism. The output contained what appeared to be the fox user password hash, so I saved the response and created a local copy of crypt.php for analysis. The next step is to crack the hash, verify the credentials using available login vectors, and continue controlled post-exploitation enumeration.

Privilege Escalation Preparation

The extracted credentials were verified by logging in via SSH as the fox user. Once on the system, I checked sudo privileges using sudo -l to identify any commands that could be executed with elevated rights. The output was saved for analysis and will inform the next controlled privilege escalation.

Privilege escalation reconnaissance using sudo -l revealed that the fox user is permitted to execute hping3 with elevated privileges, representing a potential sudo misconfiguration. I then consulted GTFOBins to assess whether hping3, when allowed via sudo, could be abused for local privilege escalation. GTFOBins documents potential abuse paths for hping3, confirming it as a valid escalation vector to investigate further in a controlled environment.

Final Compromise

At this stage, SSH access was validated by logging in as the fox user, allowing further local enumeration.

Open a second terminal and establish an SSH session as the fox user. At this point, both sessions are running on 127.0.0.1.

One SSH session was maintained for stability, while a second session was used for controlled privilege escalation testing.

During local enumeration, a private SSH key (id_rsa) was discovered, which could potentially be leveraged for further privilege escalation.

The extracted id_rsa key was copied to the attacker machine and saved locally with appropriate file permissions. The id_rsa key was saved locally using an appropriate filename and restrictive permissions.

The recovered private key was used to authenticate as the root user via SSH, resulting in full system compromise.