Vulnhub virtual machine; One of the last of my vulnhub boxes from the OSCP prep list. Zico2, used enumeration to find an admin login, which used basic credentials to enter. Used the backend to use php to download a reverse shell which led to privesc with dirtycow and zip.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Search for VM on network
Interesting Ports: 80 - webserver 111 - unknown at this point 22 - ssh (front door)
Investigate port 80
checking out source:
nothing of immediate interest.
navigating around site page is based off a php backend which could be of use in the future for a reverse php shell.
Test for directory traversal with an escape
now we have an idea of users. Saved the passwd locally to folder and parsed for just user that have the ability to use sh.
at the end just appened the users to sh.userlist
we found a web application name and version number along with a password field. testing generic passwords
Password: Admin # Lets take a second and talk about how this is a terrible password.
/usr/databases/test_users click the info button
looks like MD5 hashes - decrypted with https://www.md5online.org/md5-decrypt.html
quick attempt to SSH using credentials — No-Go
Looks like we can create a new database and move to upload a reverse shell.
created a database name
create table named
gimmeshell with Number of Fields:
test for the name, selected
TEXT and inserted the default value
<?php phphinfo(); ?>
navigated to location of execwashere.php
Lets go input a reverse php shell since we know we can access
/usr/databases by creating a new database named
launch our reverse shell via
This version is dirtycow susceptible.
download the dirty.c exploit from https://www.exploit-db.com/exploits/40839 setup up webserver and wget from box
we now found credentials for zico
attempt SSH with credentials:
Taking advantage of
zip to elevate to root
connect to dirtycow’d SSH
“Bring me the root” -exec