Photographer: 1 Walkthrough

(Updated: )
reference Photographer: 1
target ip 192.168.1.7

Scan with nmap:

smb-enum-shares:

There’re two files in sambashare:

mailsent.txt:

There’s a Koken hosted on http://192.168.1.7:8000, with an existed exploit (The author of the exploit and the box is the same one).

After a little bit guess work, I can login with username daisa@photographer.com and password babygirl to Koken.

Replace the original shell.php to a new one:

reverse shell:

/home/daisa/user.txt:

Privilege escalation is straightforward.

/usr/bin/php7.2 has setuid.

/root/root.txt:

  • original shell1.php, 192.168.1.7 -> 192.168.56.106:443
  • database.php