Photographer: 1 Vulnhub walkthrough

This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare), and has two flags: user.txt and proof.txt.

Today I am gonna walk-through the Photographer Vulnerable machine developed by @v1n1v131r4. To download visit: https://www.vulnhub.com/entry/photographer-1,519/

For solving any walkthrough I have my way of doing it. You can always redo the challenge and explore other ways of gaining root and obtaining the flag.

DISCOVERY PHASE

This phase is pretty much self-explanatory. Without knowing the host you can’t start the process. Let’s find out our victim in my NatNetwork by using the netdiscover command.

It seems that I discovered my target 10.0.2.38

SCANNING PHASE

After discovering our target we have to find out how we can penetrate them. For this, we have to look for the open ports and services running which provides us a way of exploiting them, and for this, I use the most trusted tool Nmap.

Looks like we got plenty of good stuff as numerous ports are open. We will visit each port but for the time being let’s visit port 80 and 8000 as they are hosting a web page. Wait if you want to learn more about Nmap switches I recommend visiting https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

RECONNAISSANCE PHASE

This phase attempts to gain information about the targeted computer or networks that can be used as an initial step towards the further attacks seeking to exploit the target system. Here we will carry out different ports reconnaissance. Let’s start…….

WEB RECONNAISSANCE:- This phase of exploring the target generally involves visiting the hosted page by the target.

I must say the hosted page was awesome on port 80 but sadly nothing valuable present there. I immediately run a dirb scan against it but this time again got nothing. 😔

Now it’s time to visit http://[IP_address]:8000 and we got a simple site hosted on it

Exploring the page I encountered with a file shell.php on the Timeline section which keeps on loading. This gives me a hint, it is trying to give reverse connection on some port 🤪 wait but where…… Let’s figure it out.

SMB RECONNAISSANCE:- A we can see port 139 and 445 are open for netbios we can definitely explore them.

But first, let’s use the tool called enum4linux which is used for enumerating information from Windows and Samba systems. simply, use command enum4linux [target_IP_address], and here we go…

As we can see sambashare is the one who is listening. Let’s visit this share point on the target on port 139 (default).

Here we g🧐 . Download the files in our current directory using a simple get [file_name ] command.

Opening the file mailsent.txt reveals that there are two user’s Agi Clarence and Daisa Ahomi and Agi is indicating to daisa that the site is ready.

Let’s again visit the site on port 8000 and we can clearly see that the site is built upon using Koken CMS. Firing a google search against it with its version number shows me that there is an exploit called arbitrary file upload. Visit the exploit here!

Exploring the exploit PoC says, we have to first log-in as admin. Let’s try URL http://[target_ip_address]:8000/admin and yes we got the admin login page.

Now, for the login credentials use daisa email as this site is owned by her, and for the password babygirl as indicated by agi on mailsent.txt file.

Returning to the exploit detail we have to first create a.PHP file and save it as a .jpg file for the upload process on the “import content “ button (Library panel) and sent the request to Burp. Let’s do it as stated…….

First, create a file name shell.php and copy the reverse shell content from the http://pentestmonkey.net/tools/web-shells/php-reverse-shell. We only need to change the attcker_ip address and the listening port.

As I have already uploaded it I need not-to-do anything. The only thing that requires attention is that in the burp proxy request you need to change the shell.php.jpg file to shell.php in two places. Something like this…

…and at the same time fire up the Netcat listener on the specified port to listen for the reverse connection. Copy the uploaded file link and open it on a new tab and yes, we got the reverse connection.

Use the python script python -c ‘import pty; pty.spawn(“/bin/bash”)’ to spawn an interactive shell. Visiting the path /home/daisa gives me the first flag user.txt.

PRIVILEGE ESCALATION

Now comes the time when we have to perform the real hack to escalate our privilege for root access for this I generally first like to see if there is any SUID bit set for a file or not.

and there we go we find a file on path /usr/bin/php7.2 which has SUID bit set and only the root user can run this.

Now go to the https://gtfobins.github.io/gtfobins/php/ site and copy the SUID command for PHP to escalate the privilege.

Hooray! we go success now proceed to the root directory to access the final flag.

For more walkthroughs stay tuned…

Before you go

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 20x) and share it to help others with similar interests! + Feedback is always welcome! 🙏

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store