ZenPhoto Proving Grounds Write-Up
SUMMARY
This write-up covers the ZenPhoto machine from Offsec’s Proving Grounds, a Linux machine combining a CMS exploit with a classic kernel privilege escalation.
Port 80 hosted a ZenPhoto installation. A known RCE exploit from searchsploit was used to achieve remote code execution and obtain a shell as a low-privileged user.
Privilege escalation was performed using the Dirty Cow kernel exploit, which overwrites /etc/passwd to create a new root-level user (firefart). Switching to that user granted a root shell.
PATH TO FOLLOW
- Reconnaissance & ZenPhoto Discovery
- Searchsploit RCE Exploit → Initial Shell
- Dirty Cow Kernel Exploit Compilation & Execution
/etc/passwdOverwrite → Shell as Root (firefart)
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.