This page looks best with JavaScript enabled

Photographer 1

 ·  ☕ 3 min read  ·  ✍️ m0nk · 👀... views
🏷️ Samba gobuster Koken CMS PHP Reverse Shel File Upload GTFObins PHP SUID

This is a fun box where we have to exploit an authenticated file upload vulnerability to get a shell on the machine. The credentials for the authentication to the Koken CMS is revealed in an open file share. The escalation is also a simple SUID which can be easily found on GTFObins.

featured image

Initially we are dropped into a Network 192.168.43.0/24 we start off with host discovery using arp-scan

arp-scan

We verify the results using nmap

nmap-host-discovery

So, we have identified our target as 192.168.43.184

Initial Foothold

At first let’s try to enumerate the machine for all the running services and then ennumerate accordingly.

Nmap

Our nmap scan shows that we have four ports open 80, 139, 445 and 8000. So, there are two websites running and samba file share running.

nmap-allPorts

1
2
3
4

80/tcp   open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8000/tcp open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))

SMB

Lets start by enumerating the SMB service first to see if we have null authentication enabled which indeed we do and hence we have access to an internal fileshare due to some misconfigurations. So, Trying Null Authentication

SMB enumeration

We have downloaded two files here a mailsent.txt and a wordpress.bkp.zip. This clearly hints that the sambashare should have been internal but, it is open due to some misconfiguration.

1
2
3
4

smbclient –N –L \\\\10.0.2.20
smbclient  \\\\10.0.2.20\\sambashare
get mailsent.txt
get wordpress.bkp.zip

Nothing much userful,but we have maybe some useful information inside this message.

Mail Secret

Web Enumeration - Port 80,8000

On navigating to Port 80 we see a normal webpage with no critical info.

Web

Running gobuster on the target, we get nothing userful except for the following images and assets directory.

Gobuster

images

assets

On navigating to port 8000 we immediately see that this website is built using KokenCMS. So, exploits for this CMS might be available on exploitDB

Web Port 8000

Koken CMS Exploit

Exploit DB has an Arbitary File Upload (Authenticated) by box author which we came across while using searchsploit. But, for this we need to login to the admin Panel of KokenCMS

Searchsploit

Admin Panel KokenCMS on url: http://192.168.43.184:8000/admin/
adminPanel

Now, Let’s use the credentials discovered in the mailsent.txt. These credentials would help us authenticate as web-admin.

1

daisa@photographer.com : babygirl

admin Dashboard

We will follow the exploit instructions as given on the exploitDB page post authentication.

Koken CMS 1

Using Default Php Reverse shell by pentest monkey by changing the hostname and the port and adding an extension of .jpg to bypass the filter.

Koken CMS 2

Finally renaming the file to shell.php inside Burpsuite

Koken CMS 3

On our host machine we start netcat listner on port 4444 to listen for connect backs. And we click on our uploaded shell.php on our website. This gives us shell as www-data

shell-as-www-data

We are also able to read the user flag.

userflag

Escalation

Finding setuid binary on the system we come up with the following results.

1

find / -perm -u=s -type f 2> /dev/null

setuid-binary

We found out that /usr/bin/php7.2 has suid bit set which can be of some help to us and looking at GTFObins We immediately get a one liner to get shell as root.

1

/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

escalated

PWNED!

pwned

Share on
gr33nm0nk2802
WRITTEN BY
m0nk
An Infosec Researcher. Certifications - Certified Red Team Professional | HTB Prolabs - Dante, Rastalabs | Certified Appsec Practitioner | CEH (Practical)
Total visitors ...
Total views ...

©2023, All Rights Reserved