Photographer Box of Offsec Proving Grounds.

In every Penetration testing engagement we start by the first step which is Recon or Stands for Reconnaissance, in which the attacker prepares for the attack by scanning the target device for flaws or misconfiguration.

our handy tool to start with is nmap which helps for scanning for entry points and checks for open ports!

First Step:

Reconnaissance:

In this step we find as much info as we can from the target to work our attacks around and successfully gain initial access.

our handy tool to start with is nmap which helps for scanning for entry points and checks for open ports!

We use the command as follows:

nmap -sC -sV 192.168.230.76 -oA IntitialScan.txt — min-rtt-timeout 5 -v

-sC Default Scripts
-sV Enumerate Version
-oA Output all formats

-v Verbose

Through our scans we find these ports open:

22 for SSH
80 for HTTP
139 for SAMBA-netbios-ssn
445 for SAMBA
8000 for HTTP Server running apache and Koken CMS which is and as we noticed has this version 0.22.24

after enumerating more and in specific on port 8000

so as follows :

Found admin Directory through Enumeration

In this image it shows that we found an admin panel for Koken, when using searchsploit we find that there is an exploit for this CMS:

Found the exploit for the CMS ( Arbitarry File Upload While Athenticated )

Found SAMBA Share.

Found to Valuable Credentials

As the image shown above, I found 2 emails which are agi@photographer.com and daisa@photographer.com with the babygirl as the password.

lets try it below to see if we get authenticated!

Bingo! Authenticated Successfully.

Shell upload

As the PoC states and it’s simple as follows :

‘’After you are logged in to Koken CMS Admin Panel, select the “Import Content” option

As a proof of concept, I created a PHP file with the function phpinfo() and saved it with a double extension (image.php.jpg)

I selected the image.php.jpg file and forwarded the request to Burp’’

and while we do that we have our netcat listening :

& there we go we got a shell :

Next Escalate previlege :

we can use linpeas for escalating privilege

Through looking at the results I found a vulnerability called PWNKIT, by exploiting it I successfully gained root on the machine!

Gained Root on the Machine.

And therefore I conclude this amazing discovery with a win condition.

Cheers! and wait for the next!