Hi all, after a long break im back again! Ready for new CTF adventures, let’s begin!
You can find the machine there > Photographer
Let’s start always with nmap.
Port 80 doesnt give much, so let’s enumerate SMB. Let’s list the shares first.
Let’s dig into
sambashare since we have
mailsent.txt provide us 2 mails & a message:
wordpress.bkp.zip seems useless.
Let’s enumerate now port
8000 in the end we can see this: “Built with Koken” Let’s search for possible exploits on koken.
This one seems good exploit
Koken exploitation - shell as www-data
I searched for the admin panel location it’s under
/admin and we can login as
Now simply we can follow the PoC, i used a php reverse shell instead of this
I renamed it:
Now let’s upload it and capture the request with burp & change the shell.php.jpg to shell.php:
We have shell!
www-data -> root
Now privesc to root is simple, let’s search for SUID files.
We can run php as root perfect.
Cool box! :D