46894-RAFFEY/Pentest-Writeups-Final

# Penetration Testing Writeups All machines were compromised in a controlled, offline VirtualBox lab. No real systems were targeted. ## Skills Demonstrated - Network scanning and host discovery (Nmap, Netdiscover) - Web application enumeration (Gobuster, Nikto, Dirb) - Exploitation — SQLi, RCE, file upload bypass, default credentials - Post-exploitation and lateral movement - Privilege escalation — SUID abuse, writable cron scripts, sudo misconfigs, kernel exploits - Password cracking and credential extraction (Hydra, SQLMap, John) - Reverse shell techniques (Netcat, Metasploit, PHP shells) ## Machine Index | Machine | Key Vulnerability | Privilege Escalation | Difficulty | |---|---|---|---| | [BoredHackerBlog](BoredHackerBlog/README.md) | Web exploitation | Misconfiguration | Easy | | [CengBox](cengbox/README.md) | SQL injection + file upload | Writable Python cron script | Medium | | [DC 1](dc1/README.md) | Drupal CVE | SUID binary | Easy | | [DC 3](DC%203/README.md) | Joomla SQLi | Kernel exploit | Medium | | [DeathNote](deathnote/README.md) | Web + steganography | Sudo misconfiguration | Easy | | [EvilBox](evilbox/README.md) | PHP file inclusion | Writable passwd | Medium | | [Glasgow Smile 2](glasgow-smile-2/README.md) | Web enumeration | SUID binary | Easy | | [Hack Sudo Thor](hack%20sudo%20thor/README.md) | Default credentials | Sudo misconfiguration | Easy | | [Hackable II](hackable%20ll/README.md) | FTP + web shell | Sudo misconfiguration | Easy | | [HotelWWW](hotellww/README.md) | Web exploitation | Privilege escalation | Medium | | [ICA](ica/README.md) | qdPM credential exposure + SQLi | SUID binary | Medium | | [Kioptrix](kioptrix/README.md) | SMB exploit (Samba) | Kernel exploit | Easy | | [Kioptrix Level 1](kioptrix%20level%201/README.md) | Apache mod_ssl | Local exploit | Easy | | [Kioptrix Level 4](kioptrix%20level%204/README.md) | SQLi auth bypass | MySQL UDF | Medium | | [Library 1](library%201/README.md) | Web + Python library hijack | Library hijacking | Medium | | [Lupin](lupin/README.md) | Fuzzing hidden endpoint | Sudo + pip exploit | Medium | | [Noob](noob/README.md) | FTP anonymous + SSH key | Direct root | Easy | | [PWNED 1](PWNED%201/README.md) | FTP + web credentials | Docker/Sudo escape | Medium | | [SickOS 1.1](sick0s1.1/README.md) | WolfCMS default creds + file upload | Sudo su | Easy | | [SickOS 1.2](sickOs%201.2/README.md) | HTTP PUT method + Nikto | Cron script | Medium | | [Stalper 1](stalper%201/README.md) | Web enumeration | Misconfiguration | Easy | | [Thales](thales/README.md) | Tomcat manager exploit | Sudo misconfiguration | Medium | | [Tommy](tommy/README.md) | Web + directory traversal | SUID | Easy | | [Tornado](tornado/README.md) | SSTI + web exploitation | Sudo | Medium | | [Vengeance](vengeance/README.md) | Web + credential reuse | Sudo escape | Medium | ## Tools Used Across These Labs | Category | Tools | |---|---| | Scanning | Nmap, Netdiscover, Masscan | | Web Enumeration | Gobuster, Dirb, Nikto, Wfuzz | | Exploitation | Metasploit, SQLMap, Hydra | | Shells | Netcat, Socat, PHP reverse shells | | Privilege Escalation | LinPEAS, pspy, GTFOBins techniques | | Password Cracking | John the Ripper, Hydra, base64 | ## Writeup Format Each machine folder contains: - `README.md` — full walkthrough with phases: Recon → Enumeration → Exploitation → Privilege Escalation → Proof - `screenshots/` — terminal and browser evidence at each key step - Vulnerability table with severity and remediation notes ## Environment All machines sourced from [VulnHub](https://www.vulnhub.com). Testing performed in an isolated VirtualBox environment with Host-Only networking. No internet-connected systems were involved. *Part of my cybersecurity degree portfolio — Riphah International University, 2026*