ADITYA'S BLOG

Welcome to the walkthrough of Photographer 1 presented by VulnHub, a boot-to-root machine which focuses on Koken CMS unrestricted file upload vulnerability leading to RCE. The vulnerable machine can be downloaded from here . Hints for machine. Netdiscover, Nmap Port 8000 Koken CMS Smbclient Php file upload Shell Finding SUID - php7.2 Privilege Escalation Walkthrough: # Finding IP address Once the machine is deployed the first task is to obtain its IP address. We will use tool named netdiscover to discover all the IPs in our internal network  Command is sudo netdiscover -i eth0 Since no other virtual machine is up, this seems like the IP address of the victim. # Nmap scan As usual we start with basic nmap scan. Command is sudo nmap -sC -sV -T4 <IP> Command details sudo – to run with root privileges -sC – running default scripts -sV – Version/Services info -T4 – faster execution Looking at the results we have a higher port 8000 open that is running Koken,

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and knowledge. Machine Level -Easy Machine Name -Bashed Machine OS -Linux Machine IP -10.10.10.68 Tools: Nmap  -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc. to scan for open ports. Method: First step is always to scan the machine , so start a nmap scan , use the command sudo nmap -sSVC 10.10.10.68 ,this will scan for open ports and services on the host. We see that only one port is open. (i.e. port 80) and it is running a Apache server. Lets visit the site 10.10.10.68 We see that there a lot of content about "phpbash". That's some useful information. Click around to see if you find something useful. There's nothing much to see here. So lets use 'DirBuster' for directory busting and see if we find some