Today, in this article we are going to gain the root
access of an easy level machine called “Photographer
1” which is available at Vulnhub for penetration testing and you can
download it from here.
The credit for making this lab goes to v1n1v131r4. So, let’s
get started and learn how to successfully root this machine.
Table of Content
Reconnaissance
·
Netdiscover to find the machines on our Network
·
Nmap to detect open ports
Enumeration
·
Enumerating sambashare
·
Discovering Koken CMS
Exploitation
·
Authenticating and exploiting Koken CMS using a
public exploit
Privilege Escalation
·
SUID binary set for php7.2
Reconnaissance
Let’s set up our lab using NAT network. We will first
detect the IP address of the vulnerable machine using Netdiscover. The
command to be used is:
netdiscover -r 10.0.2.0/24
So, the IP
address found is 10.0.2.20.
Now, that we
have our target machine’s IP let’s go ahead and scan it using nmap.
We’ll do this
by using the command: sudo nmap –sV 10.0.2.20
From the below screenshot, we can see that there are 4
ports open on our target machine which can be further used for the enumeration
process.
The discovered ports are: 80,139,445 and 8000.
Enumeration
With ports 139
and 445 open, which are the SMB ports let’s try for the low hanging
fruit that is samba share. Usually, in a boot2root, we could attempt a null
session and see if we get any information. We’ll use smbclient to find
the shares which we can access without creds. The below commands are to be used
to find the shares:
smbclient \\\\10.0.2.20\\sambashare
get
mailsent.txt
get
wordpress.bkp.zip
Ok!!! So, it seems
that we can access sambashare. Let’s go ahead and access that.
We find two
files in sambashare by the names mailsent.txt and wordpress.bkp.zip
which we’ll download into our machine for further inspection using the get
command.
The mailsent.txt file seems to be
interesting. Let’s read that and see if there’s anything useful in it for us.
Well, we do
have some important information with us. We get two usernames Daisa and Agi.
We can see that Agi is talking about some
secret. At this stage, we felt it might be some sort of credentials related clue so, let’s save this
information for future use.
Now, that we
have the usernames with us let’s go ahead and enumerate port 80. Unfortunately,
we couldn’t find anything resourceful there so, we decided to enumerate port
8000 and we were greeted with this:
The server
seems to be running Koken CMS. Let’s Google it to search for a public
exploit. It seems that we have found one.
Exploit link: https://www.exploit-db.com/exploits/48706
Exploitation
Reading through the exploit, it seems to be an
authenticated file upload exploit, which means we need some credentials.
Browsing to the admin page of the CMS, we see we need to enter some credentials
After some
trial and error, we were still unable to sign-in. Seems to be a road block. But
wait, we have yet not tried the credentials we got earlier.
If you
remember, we had got two usernames earlier Daisa and Agi from the
mailsent.txt file. Let’s go ahead and try those usernames.
Great!!! We
have successfully logged in using the below credentials:
daisa@photographer.com
: babygirl.
Now, we are
logged in the CMS.
We will now
upload our php shell which is already available in Kali. To upload our
shell, we’ll follow the steps mentioned in the exploitdb link. We click on “import
content” first
Now, we get a
prompt to upload our shell as we can see below.
Before
uploading our php reverse shell, we need to add a .jpg extension to it
in order to bypass extension filtering according to the exploit. Once, we
rename it accordingly, we will use burp suite to intercept the imported data
and remove the jpg extension and forward the request.
We need to press
the forward tab two-three times after making the changes. We immediately get a
reverse shell on our netcat listener.
Now, that we
have gained the reverse shell we shall first spawn the shell by using the
command:
python -c
“import pty;pty.spawn(‘/bin/bash’)”
After spawning
our shell we’ll change our directory from home to daisa.
Once, we are
in dais’s directory we’ll go ahead and open the user.txt file.
On opening the
file, we found our user flag which is shown in the image below.
Privilege Escalation
Now, it’s time
for that part of the CTF where everyone waits to gain the root access.
But, hold on. Let’s
go slow and steady.
We will first check
for any suid binaries using the command:
find /
-perm –u=s –type f 2>/dev/null
It seems that php7.2
was set to suid and we can easily escalate our privileges by using php7.2 like
this:
/usr/bin/php7.2 -r "pcntl_exec('/bin/bash',
['-p']);"
Great!!! Now,
that we have root access, are we all ready to get the root flag?
I’m sure everybody
is, so let’s go and capture that final flag.
Once you are
in the root shell simply change your directory to root by using the command:
cd root
Now, that we
are in the root directory we’ll read the proof.txt file by using the
command cat proof.txt
Alright, there
you go. We now have access to our final flag as shown in the image below.
0 comments:
Post a Comment