VulnHub: Photographer: 1

Initial foothold

  1. Network discovery

My target is 10.0.2.47.

2. Port scan

3. OS and service scan

Here’re discovered services:

  • 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
  • 139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
  • 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
  • 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Service Enumeration

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))

  1. HTTP on port 80

nikto scan

Directory scan

Access the site

View page source. Possible username revealed.

2. SMB on port 139 and 445

Scan the service

I got accessible directory.

Access “sambashare” and download files

Read the file

I got usernames and emails.

Create user.txt

Create mail.txt

Read wordpress.bkp.zip

There’s credential, but I doubt that I can use it. It’s Portugese.

3. HTTP on port 8000

Scan directory using gobuster, but I couldn't scan it.

Use dirbuster instead

There’s /admin directory.

Access the site, this site is build w/ Koken.

View page source, not much revealed.

Search for Koken CMS exploit, I came across this. However, I need credential to exploit it.

Access /admin. It’s login page. It also need email which I already saved as mail.txt.

Test input

I got error message. I will use this to crack password w/ hydra.

Intercept the request w/ Burp Suite.

Crack the password w/ hydra

I got the credential.

Access the site.

Exploitation

  1. Follow the exploit guide. Create shell file and save as “image.php.jpg”

2. Import the file

3. Intercept w/ Burp and edit the request

Intercept w/ Burp

Edit the request and forward

Verify upload process

Copy the link

Paste it to the browser and test the shell by supply “id” command

4. Reverse shell

Prepare listener on port 443

Intercept the shell request and send to the repeater.

I will use command from this cheat sheet.

Encode the command to URL w/ Burp Suite’s decoder.

Paste it to cmd parameter and send the request.

Back to listener, now I got the shell.

Privilege Escaltion

  1. get TTY shell

2. Explore the directory. I came across interesting files as listed:

3. Verify SUID

I noticed php7.2

Search in GTFOBins

Follow the guide

Now I’m root.