ZenPhoto
Pg Practice ZenPhoto writeup
Nmap
HTTP
Given the open ports that we have and the versions running on them I am going to jump straight into port 80.
The root page for the target machine takes us to a blank page headed 'UNDER CONSTRUCTION'. Ideally we should break out some directory enumeration and nikto
.
feroxbuster
and nikto
both pick up the directory /test/ and subsequent directories.
The /test/ directory takes us to the following page which as per the bottom right is running on ZenPhoto.
Viewing the page source and scrolling to the bottom reveals the exact version of ZenPhoto that we are running.
Exploitation
A quick Google search for a exploit on this version of ZenPhoto reveals a result for a RCE exploit.
I downloaded the exploit and run it with the following syntax:
Stable Shell
We now have a shell on the target machine and we are running as the user www-data. I found with this shell that when you try changing directories or running scripts it would have unexpected behaviour.
I performed a quick check to see if python was installed using which python
. After confirming Python is installed I tried a quick one liner reverse shell to see if we can get a more stable one.
First I started a netcat
listener on my attacking machine:
The run the following command on the target machine:
We now have a more stable shell.
Privilege Escalation
I then started a Python SimpleHTTPServer
on my attacking machine and downloaded some scripts for privilege escalation.
I executed suggester.sh
which picked up the follow exploit as being 'highly probable'.
I downloaded the file onto the attacking machine using wget
then compiled using gcc
.
After compiling was finished I used chmod
to make the exploit executable.
I then executed the exploit and was able to gain a root shell.
Last updated