PG — Photographer — Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through Photographer box, produced by v1n1v131r4 and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an easy and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
As we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80,139,445,8000 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on ports 139 and 445 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Then, we will go on enumeration on ports 80 and 8000 as http services provide a large attack surface.
Enumeration
SMB Enumeration
As SMB ports may host valuable files and information, we firstly start to enumerate them. They are open to be connected if set up default and specifically not protected with a password. So, we will use smbclient in order to list and connect to SMB.
smbclient -L \\\\192.168.x.x
And we see some open shares.
Now, in order to check sambashare file, we will try to log in to SMB server with the following command, when it asks for password, we will hit enter to leave password blank.
smbclient \\\\192.168.x.x\\sambashare
We succesfully connect to the server and list the content with ls command. And we see there are two files which look important, we download files with get command. Althrough we are able to get mailsent.txt, the connection fails while downloading wordpress.bkp.zip.
After downloading .txt file, we concatenate the file.
We have two e-mail addresses and a probable mail, which includes names Daisa and Agi that can be useful for later enumeration phases, so we will note down these mail adresses and the secret text message.
HTTP Enumeration
We check port 80 browsing the web page, but we find nothing useful.
Now, we will enumerate port 8000 as it is an http server as well.
On port 8000, we encounter a familiar name Daisa that we discovered during SMB enumeration. And we see that web server is built with Koken CMS that is also familiar from nmap -sV scan.
In such a case, we google or searchsploit CMS names and their versions to see if there is an exploit publicly published.
After searchsploiting Koken CMS, we find that there is a public exploit listed on exploit-db 48706.txt, and it is the exact version that we see on port 8000. So, we locate the exploit and read the content to see how to exploit Koken CMS.
Exploitation
We read the exploit we found, and we see that there are four simple steps to get a low reverse shell.
After reading the exploit througly, we see that there is an admin directory to log in on the web page. Since we have some credentials while enumerating SMB share, we will attempt to log in using those credentials. Trying e-mails of Agi and Daisa, we find that daisa@photographer.com and a word located in the end of mailsent.txt are proper login credentials.
And we log in on the page.
As exploit proceed, we will create a php file to have Remote Code Execution (RCE) on the website, but instead of having Remote Code Execution (RCE), we will try to upload a reverse php shell. So, we locate php-reverse-shell already included in our attacking box and copy it to current working directory in order to modify needed lines.
Now, we should change default IP address and Port in php-reverse-shell.
We should change default IP to IP of our attacking box, and we will use port 443 since it is a trusted port number.
Now, we will change our php shell to a .jpg file as the exploit suggests.
Later on, we should click on import content button located on te dashboard in order to upload our shell.
After clicking on Import content button, we are prompted with a new window to upload our shell.
Now, we will click on up-arrow sign and choose our reverse shell file.
So, our shell seems to be uploaded on the web server, but we should catch our import request with BurpSuite to be able to change file extension. We open BurpSuite and turn proxy on and click on Import, and get the request.
Everything seems okay until now, so we will proceed following the exploit. Now, we send the request to Repeater and change the file extension to .php again.
Now we send the request to the web server and see that our reverse shell is uploaded.
To find the location of the file uploaded, we check the right side of the web page that shows where the shell file is and provides a link to it.
Before visiting the provided link, we should set up a netcat listener to catch our shell on port we specified while editing reverse php file.
Now, we are ready to visit the link that hosts our php shell.
And we check our, netcat listener to see if we have a shell on the targte machine.
We have got a shell on the box. To spawn a TTY shell, we will type the following command after checking which version of python is installed on the system:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Now it is time to get our low shell hash.
Since we are not in the directory where hash is included, we search for local.txt through the following command and concatenate it.
find / -name local.txt 2>/dev/null
Privilege Escalation
After checking common vulnerabilities or misconfigurations, we find that there is a php installed on the system and has SUID binaries.
find / -perm -u=s -type f 2>/dev/null
For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.
And we see that we can escalate our privilege on the machine.
We type the following command on the terminal.
/usr/bin/php7.2 -r “pcntl_exec(‘/bin/bash’, [‘-p’]);”
And our Effective User Id is now root, which means that we can get our root hash.
Now we have full authority on the box. Enjoy!