Welcome to
the walkthrough of Photographer 1 presented by VulnHub, a boot-to-root machine which
focuses on Koken CMS unrestricted file upload vulnerability leading to RCE. The
vulnerable machine can be downloaded from here.
Hints for machine.
- Netdiscover, Nmap
- Port 8000 Koken CMS
- Smbclient
- Php file upload
- Shell
- Finding SUID - php7.2
- Privilege Escalation
Walkthrough:
# Finding IP
address
Once the
machine is deployed the first task is to obtain its IP address. We will use
tool named netdiscover to discover all the IPs in our internal network
Command is
sudo netdiscover -i eth0
# Nmap scan
As usual we
start with basic nmap scan.
Command is
sudo nmap
-sC -sV -T4 <IP>
Command
details
- sudo – to run with root privileges
- -sC – running default scripts
- -sV – Version/Services info
- -T4 – faster execution
Looking at
the results we have a higher port 8000 open that is running Koken, port 139 and
445 running samba and port 80 with default Apache webpage.
# Port 8000
enumeration
We know it’s
running Koken CMS version 0.22.24, lets quickly search for a exploit using
searchsploit for given version.
Command
searchsploit
Koken 0.22.24
We have one exploit. To copy the exploit either you download it from browser or just mirror it to your current directory using the command
searchsploit -m php/webapps/48706.txt
Before moving forward and using any exploit I like to do basic
enumeration of the exploit itself. Since this exploit requires Authentication,
we need credentials for login as well as we don’t know how to access the login
page. Understanding the exploit code comes in handy, the exploit gives us a
directory named /admin which is a login form.
I tried some
default creds but did not work.
# Port 139
and 445 – Smbclient
Smbclient is similar to ftp and is used to access resources from server.
To list the
shares, we use the command
smbclient -L
////<IP>
To access a
share, we use the command (-N for accessing shares without password).
smbclient -N
//<IP>/sambashare
There are
two files. Let’s download these to our machine using command get.
I tried to analyze
the backup zip but it was a rabbit hole.
Reading the
content of mailsent.txt using cat command.
This file gives
us lots of information like emails and possible username. The last line gives
us a secret “babygirl”, maybe it’s a password.
I tried
login with [email protected]:babygirl
and got logged in successfully.
Now we follow
the exploit process.
Fire up burp suite and we will intercept the request. First, we click on “Import content” button present in bottom right corner.
I used php reverse shell from Payload All the Things and changed the extension to jpg to upload and turn on the burp to intercept this request.
After intercepting the request in burp, change the extension back to php and the forward the request.
The shell has been uploaded. To access it we mouse-over to “Download File”
button on top right corner and open it in new tab.
But before
that we need a listener to catch our reverse shell. You can use tools like
pwncat, msf-handler or netcat to catch the reverse shell.
Use command
nc -nvlp 1234 to start a netcat listener.
Opening the
php reverse shell file, we get a connection back. We are a low privileged user
as of now.
Before any
further enumeration lets stabilize our shell.
Command is
python3 -c “import
pty;pty.spawn(‘/bin/bash’)”
Comments
Post a Comment