Photographer 1: VulnHub CTF walkthrough, part 2
In the first part of this article, we identified the admin page of the application. In this article, we will continue from this step and complete further till we get to the root of the target machine.
Please note: For all these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
As we know from the Part 1 of this article, there is a login page to log into the admin section of the application. We finally got a login page where we can try to enter email ID and password. We have already identified two email IDs and a secret hint in the previous steps. So, let us utilize this information to log in here. We attempted the email IDs one by one with the secret hint message. The results can be seen in the following screenshot.
After a few trials, we were able to log into the admin section of the target application using the above credentials. Let’s explore the admin account and find what we can do further to get the target machine access.
In the admin section, while exploring various functionalities, we found the version information about the installed CMS on the target machine. In the next step, we will be identifying the CMS vulnerabilities and their exploit to complete the CTF.
We know the CMS version from the previous step, so a quick research on Google took us to an available exploit for this CMS. The Google search results can be seen in the following screenshot.
As we can see, the very first result shows an Exploit Database URL. Let’s open it find out more about the workability of this exploit. The details on the website can be seen in the screenshot given below.
As per the website, the current version of the CMS is vulnerable to arbitrary file upload vulnerability. The exploit is in the form of a process that needs to be followed to be able to successfully exploit the target machine. The steps, as given on Exploit Database, are:
- Create a malicious PHP file with this content: <?php system($_GET[‘cmd’]);?>
- Save as “image.php.jpg”
- Authenticated, go to Koken CMS Dashboard, upload your file on “Import Content” button (Library panel) and send the HTTP request to Burp
- On Burp, rename your file to “image.php”
- On Koken CMS Library, select your file and put the mouse on “Download File” to see where your file is hosted on server
So, let’s start uploading a shell through the admin account using the above approach. To start with, we save dour payload as “shell.php.jpg” on the attacker machine. After that, we set up our Burp proxy and uploaded the file in the “import content” section. It can be seen in the following screenshot:
As we can see in the above screenshot, our file is in queue to be uploaded. Now we need to change the file name to “.php” extension. This step is done through Burp interception, which can be seen in the following screenshot:
We can see our payload in the above screenshot, as well as the changed file name to “shell.php”. After that, we send the request and our payload “shell.php” should be stored on the target machine, which can be seen in the following screenshot.
We can see that our uploaded shell can be seen on the target website, but when we tried to execute the commands using the shell, it did not work. This means that we can’t open the shell file on the browser to execute direct commands on the target machine, but we can run the file.
Let’s try to upload a PHP reverse shell, which is available in Kali Linux. But before uploading it, we changed the IP address to our attacker machine in the file so that we can get the reverse shell, which can be seen in the following screenshot:
In the above screenshot, we can see that we have renamed the file to “php-reverse-shell.php” and changed the IP address and port to our attacker machine configuration. After this, we clicked on “forward” and the file got successfully uploaded on the target machine. Now, let’s access the file in the target machine application and at the same time wait for the reverse connection on our attacker machine. This can be seen below.
Command used: nc -lvp 1234
In the above screenshot, we can see that when we opened the shell in the browser, it automatically got executed on the target machine and we got the reverse shell access on our attacker machine. With this, we have completed half of the job. In the next step, we will enumerate and exploit it further in order to take the root access.
We start enumerating the target machine with the limited access. We know that there are lots of local kernel exploits available, so we ran a few commands to check the kernel and operating system version, which can be seen in the below screenshot.
- uname -a
- cat /etc/issue
The output of the above command shows that our target machine is running the on Ubuntu 16.04.6 and the kernel version is 220.127.116.11. We searched local exploits for these operating systems and kernels but did not get any working exploit. So, we spent some more time for enumerating and got php7.2, which can be seen in the below screenshot.
Command used: find / -perm -4000 -type f 2>/dev/null
As can be seen in the above screenshot, we used the find command with options which will find a binary with the SUID bit set. We can execute that in the context of the file owners’ privilege.
The output of the above command in the green highlighted area shows that among other utilities, we can use PHP to get the root access. Let’s search online PHP privilege escalation commands to utilize this weakness to our advantage.
As we can see in the above screenshot, we found exactly what we were looking for. There was an exploit on GitHub which provided us the payload that was needed here. The above command will make use of the SUID bit set to escalate user privileges. In the following screenshot, we can see the result after executing the above payload on the target machine.
Finally, we have been granted shell access. Now let’s read the flag file and complete this challenge.
Command used: cat proof.txt
The flag file was easily located in the root folder, which can be seen in the above screenshot. This marks the completion of this CTF.
Hope you enjoyed working on this CTF!
Koken CMS 0.22.24 – Arbitrary File Upload (Authenticated), Exploit Database
Photographer: 1, VulnHub
Download Photographer: 1, VulnHub