PG — Photographer — Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through Photographer box, produced by v1n1v131r4 and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this Linux box, this is an easy and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

As we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.

nmap -p- 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80,139,445,8000 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on ports 139 and 445 since port 22 is not a logical starting point because it does not provide us with a broad attack surface as an http server does. Then, we will go on enumeration on ports 80 and 8000 as http services provide a large attack surface.

Nmap Specified Port Scanning

Enumeration

SMB Enumeration

As SMB ports may host valuable files and information, we firstly start to enumerate them. They are open to be connected if set up default and specifically not protected with a password. So, we will use smbclient in order to list and connect to SMB.

smbclient -L \\\\192.168.x.x

And we see some open shares.

SMB Listing with Smbclient

Now, in order to check sambashare file, we will try to log in to SMB server with the following command, when it asks for password, we will hit enter to leave password blank.

smbclient \\\\192.168.x.x\\sambashare

We succesfully connect to the server and list the content with ls command. And we see there are two files which look important, we download files with get command. Althrough we are able to get mailsent.txt, the connection fails while downloading wordpress.bkp.zip.

SMB Server Enumeration

After downloading .txt file, we concatenate the file.

Reading Mailsent.txt File

We have two e-mail addresses and a probable mail, which includes names Daisa and Agi that can be useful for later enumeration phases, so we will note down these mail adresses and the secret text message.

HTTP Enumeration

We check port 80 browsing the web page, but we find nothing useful.

Port 80 Enumeration

Now, we will enumerate port 8000 as it is an http server as well.

Port 8000 Enumeration

On port 8000, we encounter a familiar name Daisa that we discovered during SMB enumeration. And we see that web server is built with Koken CMS that is also familiar from nmap -sV scan.

In such a case, we google or searchsploit CMS names and their versions to see if there is an exploit publicly published.

Searchsploiting Koken

After searchsploiting Koken CMS, we find that there is a public exploit listed on exploit-db 48706.txt, and it is the exact version that we see on port 8000. So, we locate the exploit and read the content to see how to exploit Koken CMS.

Exploitation

We read the exploit we found, and we see that there are four simple steps to get a low reverse shell.

Reading Koken CMS File

After reading the exploit througly, we see that there is an admin directory to log in on the web page. Since we have some credentials while enumerating SMB share, we will attempt to log in using those credentials. Trying e-mails of Agi and Daisa, we find that daisa@photographer.com and a word located in the end of mailsent.txt are proper login credentials.

Port 8000 Login

And we log in on the page.

Port 8000 Dashboard

As exploit proceed, we will create a php file to have Remote Code Execution (RCE) on the website, but instead of having Remote Code Execution (RCE), we will try to upload a reverse php shell. So, we locate php-reverse-shell already included in our attacking box and copy it to current working directory in order to modify needed lines.

Locating Php-reverse-shell

Now, we should change default IP address and Port in php-reverse-shell.

Default IP and Port

We should change default IP to IP of our attacking box, and we will use port 443 since it is a trusted port number.

Changing IP and Port

Now, we will change our php shell to a .jpg file as the exploit suggests.

Changing Php-reverse-shell to Jpeg File

Later on, we should click on import content button located on te dashboard in order to upload our shell.

Importing Content

After clicking on Import content button, we are prompted with a new window to upload our shell.

Uploading Shell

Now, we will click on up-arrow sign and choose our reverse shell file.

Uploading Reverse Shell

So, our shell seems to be uploaded on the web server, but we should catch our import request with BurpSuite to be able to change file extension. We open BurpSuite and turn proxy on and click on Import, and get the request.

Catching the Request

Everything seems okay until now, so we will proceed following the exploit. Now, we send the request to Repeater and change the file extension to .php again.

Changing File Extension

Now we send the request to the web server and see that our reverse shell is uploaded.

File Upload

To find the location of the file uploaded, we check the right side of the web page that shows where the shell file is and provides a link to it.

Shell Directory

Before visiting the provided link, we should set up a netcat listener to catch our shell on port we specified while editing reverse php file.

Setting up Netcat Listener

Now, we are ready to visit the link that hosts our php shell.

Visiting Uploaded Php Shell Link

And we check our, netcat listener to see if we have a shell on the targte machine.

Reverse Shell on Our Terminal

We have got a shell on the box. To spawn a TTY shell, we will type the following command after checking which version of python is installed on the system:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Spawning a TTY Shell

Now it is time to get our low shell hash.

Getting Low Shell Hash

Since we are not in the directory where hash is included, we search for local.txt through the following command and concatenate it.

find / -name local.txt 2>/dev/null

Privilege Escalation

After checking common vulnerabilities or misconfigurations, we find that there is a php installed on the system and has SUID binaries.

find / -perm -u=s -type f 2>/dev/null

SUID Binaries Enumeration

For SUID binaries, we generally check GTFOBins since it provides a plethora of privilege escalation commands for SUID binaries found on the target systems.

And we see that we can escalate our privilege on the machine.

PHP Privilege Escalation

We type the following command on the terminal.

/usr/bin/php7.2 -r “pcntl_exec(‘/bin/bash’, [‘-p’]);”

PHP Privilege Escalation Command

And our Effective User Id is now root, which means that we can get our root hash.

Getting Root Hash

Now we have full authority on the box. Enjoy!

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store