# Recon - ping test ![[images/Pasted image 20251023152058.png]] - light nmap scan ![[images/Pasted image 20251023152104.png]] - detailed nmap scan ![[images/Pasted image 20251023152202.png]] - OS nmap scan ![[images/Pasted image 20251023152222.png]] - visit webpage in browser ![[images/Pasted image 20251023152330.png]] - live webshell? - add hostname to `/etc/hosts` ![[images/Pasted image 20251023152655.png]] # Enum ## www-data - light enum on live webshell ![[images/Pasted image 20251023152501.png]]![[images/Pasted image 20251023152620.png]] - we have access to the 172.16.5.0/16 subnet - we have wget and curl ![[images/Pasted image 20251023152628.png]] - Poke around `/home` - `/home/webadmin` has some goodies ![[images/Pasted image 20251023153748.png]] - creds for server01 and other servers on internal subnet - id_rsa for more stable ssh connection to pivot ## webadmin - SSH into pivot host as webadmin![[images/Pasted image 20251023154004.png]] - Light enum as webadmin ![[images/Pasted image 20251024100046.png]] - sudo requires password for webadmin but I only have the privkey