Vulnhub virtual machine; One of the last of my vulnhub boxes from the OSCP prep list. Zico2, used enumeration to find an admin login, which used basic credentials to enter. Used the backend to use php to download a reverse shell which led to privesc with dirtycow and zip.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Search for VM on network
1 |
|
Target: 192.168.56.122
Enumeration
Nmap Scan:
1 |
|
Interesting Ports: 80 - webserver 111 - unknown at this point 22 - ssh (front door)
Investigate port 80
checking out source:
nothing of immediate interest.
navigating around site page is based off a php backend which could be of use in the future for a reverse php shell.
Test for directory traversal with an escape
1 |
|
now we have an idea of users. Saved the passwd locally to folder and parsed for just user that have the ability to use sh.
1 |
|
at the end just appened the users to sh.userlist
Gobuster
1 |
|
/dbadmin/
accessible:
we found a web application name and version number along with a password field. testing generic passwords
1 |
|
Password: Admin # Lets take a second and talk about how this is a terrible password.
“were in!”
Investgate the /usr/databases/test_users
click the info button
looks like MD5 hashes - decrypted with https://www.md5online.org/md5-decrypt.html
1 |
|
quick attempt to SSH using credentials — No-Go
searchsploit
1 |
|
mirror 24044.txt
1 |
|
Looks like we can create a new database and move to upload a reverse shell.
created a database name execwashere.php
create table named gimmeshell
with Number of Fields: 1
used test
for the name, selected TEXT
and inserted the default value <?php phphinfo(); ?>
navigated to location of execwashere.php
1 |
|
Lets go input a reverse php shell since we know we can access /usr/databases
by creating a new database named test.php
1 |
|
launch our reverse shell via phpshell.php
Setup Listener
1 |
|
dirtycow
uname inspect
This version is dirtycow susceptible.
download the dirty.c exploit from https://www.exploit-db.com/exploits/40839 setup up webserver and wget from box
1 |
|
Compile
1 |
|
Priv-Esc
navigate /home/zico/
discovered wordpress
and wp-config.php
we now found credentials for zico
1 |
|
attempt SSH with credentials:
1 |
|
check permissions:
1 |
|
Root&Loot
Taking advantage of zip
to elevate to root
1 |
|
connect to dirtycow’d SSH
1 |
|
“Bring me the root” -exec