Photographer
Started with running a TCP Scan via NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA)
| 256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA)
|_ 256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: daisa ahomi
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
| smb2-time:
| date: 2025-10-29T14:06:00
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: photographer
| NetBIOS computer name: PHOTOGRAPHER\x00
| Domain name: \x00
| FQDN: photographer
|_ System time: 2025-10-29T10:06:00-04:00
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.35 seconds
SMB was running on the server hence I used smbclient to enumerate the network shares present.
Enumerated the
sambasharenetwork share and found the following files
Read the contents of
mailsent.txtand found the following
Here I could find two email addresses and what seemed like a secret key at the end of the file.
Next, I enumerated the ports and as revealed in the TCP scan, Koken CMS was running on port 80.
I looked up online for exploits of Koken and found a file-upload vulnerability of the same version as was running on the target.
https://www.exploit-db.com/exploits/48706
As it was an authenticated vulnerability I had to get the admin panel and the login credentials first. Hence I ran a directory scan using gobuster.
I found a
/adminsubdirectory and found the following login page
I used the
daisy@photographer.comemail address from themailsent.txtfile and usedbabygirlas the password as was revealed in the same text file. Then, I was redirected to the following page.
After that I used the pentestmonkey PHP reverse shell and added it a file named
monkey.php.jpgI turned on Burp Suite.
I used the Import Content option on the Koken dashboard and uploaded the file. While uploading I captured the request in Burp Suite and modified the request by renaming the reverse shell file
monkey.php.jpgtomonkey.php.I resent the request and uploaded the reverse shell.
I clicked on the file and visited the link given in the Inspector tab
Upon opening the link I was redirected to the following page
I started a reverse shell on the attacker device.
I visited the Download File link given on the webpage to get the location of where the file was being stored and initiate the reverse shell.
I found the first flag in
/home/daisadirectory
Next, I enumerated the target for privilege escalation and found a
php7.2binary with sticky bit.
I went to the good old GTFObins and looked up exploits for php binary and found the following
CMD="/bin/sh"
./php -r "pcntl_exec('/bin/sh', ['-p']);"I used the above commands and got a root shell
I found the final root flag inside the
/rootdirectory
Last updated