PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 41:4d:aa:18:86:94:8e:88:a7:4c:6b:42:60:76:f1:4f (RSA)
| 256 4d:a3:d0:7a:8f:64:ef:82:45:2d:01:13:18:b7:e0:13 (ECDSA)
|_ 256 1a:01:7a:4f:cf:95:85:bf:31:a1:4f:15:87:ab:94:e2 (ED25519)
80/tcp open http Apache/2.4.18 (Ubuntu)
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp open netbios-ssn?
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http-alt Apache/2.4.18 (Ubuntu)
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Koken 0.22.24
|_http-title: daisa ahomi
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-03T09:19:39
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: photographer
| NetBIOS computer name: PHOTOGRAPHER\\x00
| Domain name: \\x00
| FQDN: photographer
|_ System time: 2022-07-03T05:19:37-04:00
There is samba on Ubuntu?
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient -L \\\\\\\\192.168.125.76\\\\
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP PHOTOGRAPHER
Let’s aim for sambashare
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient \\\\\\\\192.168.125.76\\\\sambashare
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Thu Aug 20 11:51:08 2020
.. D 0 Thu Aug 20 12:08:59 2020
mailsent.txt N 503 Mon Jul 20 21:29:40 2020
wordpress.bkp.zip N 13930308 Mon Jul 20 21:22:23 2020
3300080 blocks of size 1024. 2958792 blocks available
smb: \\> get mailsent.txt
getting file \\mailsent.txt of size 503 as mailsent.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \\> get wordpress.bkp.zip
getting file \\wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (801.3 KiloBytes/sec) (average 745.1 KiloBytes/sec)
Checking the mailsent.txt
┌──(kali㉿VirtualBox)-[~]
└─$ cat mailsent.txt
Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <[email protected]>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
For unzipping wordpress.bkp.zip, we do not need any password
┌──(kali㉿VirtualBox)-[~]
└─$ unzip wordpress.bkp.zip
After looking around the wordpress zip file there is nothing interesting, let’s move on.
There is something interesting on port 8000
As we can see the site is Built with Koken
Went to search Koken Exploit, and ending up only one result
Offensive Security's Exploit Database Archive
From the CVE says, there is an /admin path to do the file upload, however, its a authenticated way
We got the credentials from the mailsent.txt just now, with two emails and one secret
[email protected]
[email protected]
secret : babygirl
On here we will target daisa because its her credentials
All we need to do is to follow the step by step from the CVE above, the mendokusai part here is we need to fire up Burp Suite to rename our payload file back to hehe.php on Burp